Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Think Like a Hacker

This week, we are discussing the “Security Mindset” – how to think like a hacker.   The goal of this week is to develop our skills at thinking outside the box, like a hacker would, and identify ways to take advantage of openings and vulnerabilities to accomplish things different than what is intended.

Thinking Like a Hacker

Bruce Schneier is a famous cybersecurity expert, and most of today’s readings are from him. He has been thinking a lot about the security mindset and how hackers think – and why thinking like a hacker can be important and valuable for a lot more people than just hackers.

First, read this article by Bruce Schneier about the security mindset.  It was originally published in Wired, but is available for free on his website: https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html

In that article, he mentions a course at the University of Washington where students did security analyses of common, everyday situations  One is an interesting analyses is of a car dealership.   Another is about breaking into dorm rooms.   Choose one of those and read it.

Those are good illustrations of what it means to think like a hacker. We will be practicing this in class a lot this semester.

Threat Modeling

I’d also like you to work on understanding “Threat Models”. Threat models are ways of thinking about the set of possible attacks as a whole. Once you have identified multiple potential attacks, then you need to prioritize them: which attacks are most likely, which attacks are unlikely, and which ones we should be most worried about?

One of Schneier’s books, Secrets and Lies is about how to think about cybersecurity. For this week, we are going to read two chapters from his book, which are conveniently available to us through the UW Library. Some of the examples in the book are slightly dated, but the thinking about security is not.

(Note: You may need to first access this book through the library website. Go to https://library.wisc.edu and search for the book “secrets and Lies digital security in a networked world”. There is a “15th anniversary edition” of the book that is available online through the UW library. Click the “view online” link, which should take you to the O’Reilly publisher website for the book. Once you can see the book there, then the links below to specific chapters should work, or you can look up the chapters yourself.)

First read Chapter 19: Threat Modeling and Risk Assessment. This chapter helps us think about WHY we would want to look at multiple different possible attacks at once, and helps us to start thinking about what to focus on. It is about a common cybersecurity idea called “Threat Modeling”, where you think about all the different ways a system can be attacked.

Then read Chapter 21: Attack Trees. This chapter presents us with a useful took for thinking through multiple different possible attacks: drawing up attack trees and using them to think about the attacks in a given situation. The example(s) here are very dated, but the idea of using an attack tree to think about threats is very common and important.

Optional

If you find this topic particularly interesting, I recommend reading Bruce Schneier’s latest book: A Hackers’s Mind. It is a great exploration of all the ways thinking like a hacker is and is not important in society, how rules and system constraints really work, why breaking rules is important for systems to function and evolve, and how powerful people use this skill all the time to bend and break rules for their own benefit. Not required for this class, but a very interesting book.

Summmary + Question

In this class, when there is a reading, you will usually be asked to submit a “Summary + Question” on Canvas.

Sometimes, you will be asked to do an “open summary”, where you summarize what you understand about the concept of the week. Other times, you will be asked to do a “guided summary” where I specifically give you a question or two and ask you to answer them. Either way, the summary should be more than one sentence long, but no longer than one-two paragraphs. Either way, this is your opportunity to really think about the topic for the week and try to wrap your brain around it. Don’t quote from the readings; instead try to integrate across them and use your own words to explain the concept.

For this week, we will do a guided summary. I want you to summarize your thinking about the security mindset. What is the security mindset, and what does it mean to “think like a hacker” to you? Do you think you have it or not?

Second, I would like you to think carefully and ask a thoughful question about the readings. That’s right – YOU ask the question. The instructor will read through these questions before class, and use them to help tailor the class to the things that you are interested in and to help make sure that you are able to learn the things that you found confusing.

There are three types of questions that you can ask (though you only have to ask one question):

  • A confusion question asks about something that you are still confused about even after reading the assigned material. It can be confusion about a specific point or a more general confusion about the topic overall.
  • A curiousity question asks about something that makes you want to learn more about. The readings may have gotten you to think about something else that is related, but not really discussed in the material that you don’t understand; that is, it got you to be curious about something else. This is a great chance to express that curiousity.
  • A connection isn’t a question; instead, it is an example that applies the concept that your are learning to some other aspect of your life or some other interesting thing in the world.

After reading the material, come up with one question; it can be of any of these three types.

Also, we are going to have an exam at the beginning of class.

Exam on Monday

At the beginning of the next class, we will have our one and only exam: the Kobayashi-Maru exam.

The exam will be a closed book, closed notes, no computer, no Internet exam. I will write the exam on the whiteboard, and you will have to write your responses on paper and turn them in. You are not allowed to use outside information to help you; you can only use your writing utensil (pen or pencil), your paper, and your mind. This is an individual test; you must work alone on this test. If you are caught cheating (e.g. using outside information, working with others), you will receive the same grade as if you turn in a blank sheet of paper with nothing but your name on it.

I’ll let you know the questions on the exam ahead-of-time so you can study. The exam will only have one question on it:

The ratio of a circle’s radius to its circumference is known as pi, and is somewhere between 3 and 4. Please write the value of pi to 50 digits after the decimal place. No partial credit will be given.

Yes, that is the one and only question. Yes, it is easy to Google the answer, though remember: you are not allowed to use computers, Google, ChatGPT, or the Internet during the exam. Unless you have extraordinary memory skills, I doubt that you can memorize the answer, and unless you have extraordinary math skills, you probably cannot calculate the answer during the test. That is, you almost certainly cannot pass the test by normal means.

Instead, the only way to pass this test is to cheat.

Yes, that’s right. You must cheat to pass this test. Remember the rules: if you are caught cheating, then you get the same grade as if you turn in a blank sheet of paper. So don’t get caught. Find a way to cheat so you can pass this test. I will be proctoring this exam, and will do my best to catch you cheating.

The goal of this test is to think like an attacker. Think outside of the box. You’ve been given a set of rules. Now find a way to get what you want by bending and breaking the rules, and hiding your tracks. Imagine yourself taking the test, and find a way to cheat so you can pass. Be creative; creativity is how attackers figure out how to break into computing systems. This test is about practicing your ability to get around the rules to get what you want.

For this test (and only this test) cheating will not be reported to the university. However, be responsible; you are responsible for any consequences of your cheating outside of the class. Don’t do anything dangerous; for example, if you pull the fire alarm, then you will have to answer to the fire department and police department, and I will not defend you. So don’t do that.