Sunday, 19 December 2021

I'm a Hacker!

Every year we get grades 9s who waft into our high school believing they are god's gift to computing.  In the vast majority of cases I discover that they've learned how to do one or two things, but the moment you move them out of their area of 'expertise' (which is usually so small you couldn't really call it an area so much as a corner), things fall apart.

We have such a genius in this year's grade 9 cohort.  When the class was given CyberPatriot's Unity OS security simulation to play, he didn't know how to open a zipped file and get the game running.  When I queried him about it, the conversation went something like this:

"You told me you're this great hacker, but you can't open a zipped archive?"

"Well, this isn't what I usually do."

"You told me you're this great hockey player who can score goals from anywhere on the ice, but when I ask you to show me how you skate, stick handle and shoot you can't do any of it, which makes me wonder what it is you think you're good at."

Taking a script that you found online and running it doesn't make you a hacker, it makes you an idiot.

The student in question has proudly boasted of swatting people, which I'd describe less as hacking and more as criminal harassment that wastes limited emergency services.  This clarifies the difference between a hacker and a criminal in simple terms anyone can understand.  One is focused on complex skills development, the other is focused on finding shortcuts.

hacker noun

hack·​er | \ ˈha-kər

1: one that hacks
2: a person who is inexperienced or unskilled at a particular activity; a tennis hacker
3: an expert at programming and solving problems with a computer
4: a person who illegally gains access to and sometimes tampers with information in a computer system

#2 comes very close to what this guy is in terms of being a hacker, though he'd be popular with actual criminals if he's thick enough to run scripts that he doesn't understand; he'd be the perfect trigger man.  If we're applying the term in computer studies, a hacker is generally someone who is expert at solving problems with a computer or getting into systems.  In either case this skillset has traditionally required years of complex skills development including a challenging apprenticeship of trial and error learning on the wilds of the internet.  Criminals seldom have the kind of patience and intelligence to develop these skills; it's part of what makes them criminals.

Malware is being sold as a service: the
'hackers' running it are plain old criminals
What has happened recently is that cybercriminal activity has become professionalized.  Many of the people doing the 'hacking' now have no idea what they're doing (like this grade 9).  They buy malware as a service software from professional criminal organizations (many of whom have ties to state cyber-warfare actors) and then run a dashboard that provides them with ready-made hacking tools that do the thinking for them.  Some of these MaaS systems even provide IT support!  No genuine hacker would ever want nor need IT support, they'd provide it themselves.

I'm currently re-reading Matt Crawford's The World Beyond Your Head in which he makes a strong philosophical argument for developing complex skills rooted in real world experience.  Crawford goes to great length to describe how these hard-earned skills often develop a corresponding moral character in the majority of practitioners; reality is a consistent and demanding teacher and it demands rigour and focus.

I have students who have developed deep, complex digital skillsets in the course of our four year program and I would proudly acknowledge that they are hackers in the correct sense of the word, but what most would-be hackers are is really script kiddies who run other people's code simply to perform malicious acts.

Script kiddies exist in the first place because we go out of our way not to teach digital literacy and cyberfluency in our schools.  In the absence of any direction, some of the blunter tools wander into this kind of self-identification.  Students have to take 8 years of geography and history in elementary and then have mandatory geography and history courses in high school too, but there are no mandatory digital fluency courses in any Ontario high school - even after we've forced everyone into a remote learning stance due to COVID.  Many of the problems that have arisen during emergency remote learning are a result of the terrible digital skills many educators and students possess.  Script kiddies are just another symptom of our digitally illiterate education system - a system that depends increasingly on digital tools and networked information to operate.

This grade 9 may well sort himself out and become a hacker in the real sense, though I find the most boastful ones tend not to have the wherewithal to develop complex skillsets such as those required by a genuine hacker.

At the CyberTitan nationals in 2018, one of our team members (then valedictorian then University of Waterloo Computer Science student), became intrigued with the idea of pentesting as a career.  Penetration testing is something that has evolved quickly as networked cybersecurity best practices have evolved.  The thinking is basically this:  if you want to understand how best to respond to the rapid evolution of cyberattacks, have a skilled pentester come in and probe your network for weaknesses and then assist your defensive team in sealing up any gaps in your system.  Now THAT is a hacker!

White hat hackers used to do this as a kindness, though most recently it has also become a bounty hunting situation, and now a lucrative profession.  Top pentesters are in high demand and make good money.  What they don't do is download and run scripts they don't understand and then not know how to perform even simple tasks on a computer - that would be a good way to lose any credibility with their employer.

I'm in the awkward position of seeing this happen in another class.  Were it me, I'd be leaning on this student hard to see what it is they actually think they know.  Being at arm's length in this scenario, my biggest worry is that this student will use our technology to hurt someone else (I fear this has already happened).  If we had a student come into the school who had been convicted of vehicular manslaughter, I doubt we'd put them in an automotive technology class, yet we don't think twice about taking a potentially digitally dangerous student and dropping them into computer technology?

This is a tricky situation to navigate.  I'm actually hoping this student has genuine potential and we can get him engaged with doing more than running scripts he has no understanding of.  In learning the rigours of operating in cyberspace, he will also most probably become less of a braggart as he aligns himself with the reality of the situation.