Comments to instructors
In addition to the assignments below, some of the Class Discussion Exercises in the text on pages 302-303 are suitable for student presentation assignments. Exercise 9.25 includes a scenario similar to that in Assignment 1 below; you might want to use it as a variant. It can be useful to assign different groups of students to slightly different scenarios; they may consider subtle differences to be important, generating good discussion.
In a few assignments, two groups of students are assigned the same topic. I do this hoping that their presentations will bring out different points. If the presentations are too similar, I just assign one group to that topic when I use it again.
General instructions given to students
The presentations should analyze the situation, use analogies and similar cases where possible, mention various possible risks or consequences, etc. Include some discussion of how new technology changes the situation. What advantages or problems result from using it, compared to the old way of doing things? Present the group's proposals and/or conclusions, supported by arguments.
Asmt. 1: Hacking to improve security
You discovered a flaw in software used by a national bank's Web site
that allows anyone who knows about the flaw to read all information about
other people's bank accounts.
You consider it a serious privacy risk.
You sent e-mail to the bank about the problem but received no answer.
What should you do next? Discuss pros and cons of various possible
actions.
Groups 1 and 2: Both groups have the same assignment.
Asmt. 2: Appropriate penalties for hackers
Comments to instructors
I've used selections from the following scenarios and other variants,
usually several in one class so that the
presentations cover hackers of
different ages and hackers that do different levels of damage.
Our class discussion
about penalties for teen-age hackers whose intentions are nonmalicious
get very lively.
Generally, students argue for strong penalties, including jail
time, for most hacking cases that cause disruption.
The assignment (as given to the students)
Your group is a committee of prosecutors, computer scientists, and members of the hacking community who oppose malicious and destructive hacking. You have been asked to evaluate specific hacking cases and recommend penalities. Tell what other information, besides what is given below, you consider relevant and how your decision would depend on it. Most of these are real cases. The unauthorized access in each case is illegal, and you may assume that the right person was caught. The law allows long jail sentences for some of these offenses. However, you do not have to use any existing law to determine the penalty. Decide what you think is reasonable and explain your reasons.
Group 1: A 17-year old was charged with hacking the Los Angeles Police
Department's anti-drug Web page and putting pro-drug slogans and images
on the site. He admitted to hacking Web sites of the U.S. Commerce
Dept. and an Internet security firm.
Group 2: A 28-year-old college student was charged with breaking into
military and government computers, gaining control of a NASA system, and
interrupting business at an Internet service provider. He did not disrupt
national defense or meddle with satellite controls.
Group 3: A major denial-of-service attack such as the one in 2000.
(See page 260.) The perpetrator is 15 years old.
Group 4: A major denial-of-service attack such as the one in 2000.
(See page 260.) The perpetrator is 30 years old.
Group 5: A 16-year-old boy broke into 12 Defense Department computers.
He did not destroy any files. It appeared he looked around at
various directories, then exited.
Group 6: A 16-year-old boy hacked into computers that controlled
communications for a local airport, rendering the system unusable for
six hours. The airport used a backup radio system; flights were
delayed but there were no mishaps.
Group 7: Any recent hacking case in the news.
Asmt. 3: Hacktivism
Group 1: Argue that hacktivism should be recognized as a form of civil
disobedience and not considered in the same ethical category as malicious,
destructive hacking.
Group 2: Argue that hacktivism should not be considered a special
ethical category of hacking; it should be treated ethically and
legally like any other hacking.
Asmt. 4: How broad is anti-hacking law?
The background for this scenario is true. A woman is accused of registering on
MySpace as a 16-year-old boy, beginning an online flirting relationship with a
13-year-old girl in her neighborhood (a former friend of the woman's
daughter), then breaking off the relationship and sending cruel messages.
The girl killed herself.
Prosecutors charged the woman with accessing MySpace without authorization,
a violation of the Computer Fraud and Abuse Act. Their argument is
that MySpace's user agreement includes the statement that users will provide
truthful registration information and not promote information they know to be
false or misleading. The groups will present statements on whether
this interpretation of the anti-hacking law is appropriate.
Group 1: the prosecutors, defending the charge
Group 2: an Internet civil liberties organization arguing that the CFAA does
not apply to violating the terms of service agreement of a Web site
Group 3: a group of parents of teenagers who have committed suicide, taking
whatever position the group chooses
Group 4: you, taking whatever position your group chooses
Asmt. 5: War driving
A "war drive" is an organized event in which people drive by office buildings
using laptops, radio scanners,
and other equipment to detect wireless networks that are not secure
(e.g., on which messages can be intercepted and/or outsiders can gain
access to the computer system). Organizers map vulnerable locations
on a Web site, where some drives are announced in advance
and take place in several cities and countries. War driving is a
hobby for some, a public service for others (exposing security
weaknesses and encouraging improvements), a sales tool for security
services, and a means of finding insecure networks to access for free
Web surfing and e-mail and possibly more serious intrusions or theft
of information.
Each of the following people is interviewed and asked to give their
arguments for or against war driving.
Group 1: The president of a network security services company.
Group 2: One of the organizers of a war drive Web site
Group 3: The president of a company whose network was listed as vulnerable
on a previous war drive.
Group 4: A computer crime specialist from the FBI.
Group 5: You.
Asmt. 6: Adapting to hacking
Consider the analogy of occasional downtime on the Web as a result of viruses,
worms, or denial-of-service attacks and vehicle traffic slowdowns
on roads during rush hour or caused by bad weather.
Describe similarities; then evaluate.
Are both side effects of modern civilization that we have to get used?
How can individuals and businesses reduce the negative impacts
on themselves?
Groups 1 and 2: Both groups have the same assignment.
Asmt. 7: Applying state law to nonlocal online businesses (Added 1/2/09)
A judge in the state of Kentucky
seized the Web addresses of more than 100 gambling sites that allow
people to gamble at online slot machines and roulette tables. Such
gambling is illegal in Kentucky. The online gambling companies do not
have a physical presence in Kentucky. Suppose you are participating in an
appeal of the judge's action.
Group 1: A representative of the state government defending the action.
Group 2: A lawyer for the gambling sites opposing the action.
Asmt. 8: Presenting hacking information (Added Aug. 9, 2009)
Three MIT students discovered serious security flaws in Boston's
subway fare system. They prepared a presentation for a conference
showing the flaws and demonstrating how to generate free fare cards.
At about the same time, New York City accused several people of
stealing $800,000 from the city's subway system by taking advantage of an error
in the software in the machines that sell fare cards.
Group 1: You are the professor who teaches the security course the students are taking. What advice would you give the students about their planned presentation?
Group 2: Shortly before the scheduled presentation, the transit authority asks a judge to prohibit the presentation. It wants time to fix the flaws before they are publicized. You represent the transit authority. Present arguments to the judge.
Group 3: You represent the students. Present arguments against the order to the judge.
Group 4: Should the judge grant the order? Why, or why not?
Return to A Gift of Fire home page.