Content-Type: text/html
This paper was presented at the Association for Education in Journalism and
Mass Communication in San Antonio, Texas August 2005.
If you have questions about this paper, please contact the author
directly. If you have questions about the archives, email
rakyat [ at ] eparker.org. For an explanation of the subject line,
send email to
[log in to unmask] with just the four words, "get help info aejmc," in the
body (drop the "").
(Jan 2006)
Thank you.
Elliott Parker
====================================================================
Hacking Authority:
Teens Negotiating Acceptable Use in School Computing
Abstract
In the context of growing global reliance on networked computers, the
negative impact of malicious computer
hacking, or cracking, is increasing in speed and magnitude. While
corporations can allocate significant resources to
network security, government agencies, schools, and not-for-profit
organizations struggle to protect sensitive
information from malicious attacks. Noting that preventive
ethics-based education of young computer-users is
largely absent from the discourse of network security strategy, the
author argues that the dearth of ethics-based
computing curriculum, policies, and procedures causes schools to
inadvertently function as training grounds for
young crackers. Tight public education budgets and inadequate
technical training for school staff members lead
educators to implement policies, procedures, and pedagogical methods
that teach computer-proficient students the
value and practice of ethical computing. The article describes
results of an ethnographic study of the ways in which
staff at a public high school attempted, using various strategies, to
invest students in protecting network security on
campus.
Growing global reliance on networked computers has increased the
impact of malicious network hacking, or
cracking. While government agencies and corporations have focused
substantial organizational resources and
rhetoric on legalization and implementation of heightened
surveillance of networks, pursuit and prosecution of
criminals, and recovery of data, the dearth of preventative policy
and program development indicates an overlooked
but crucial component of a national strategy to prevent and reduce
cracking. In this article I develop the argument
that policy makers must address the need for ethical computing
strategies and policies at the K-12 level designed to
acculturate young computer hackers away from cracking and toward
ethical computing. Using the case of New
Technology High School, a U.S. Department of Education Demonstration
Site public school in Napa, California,
this article describes a three-year long participant observer
ethnographic study of the successes and failures
associated with the school's attempt to socialize its hacker students
to act as ethical and invested citizens in a
networked environment.
The Cost of Network Attacks
Crimes committed using computers include those that are unique to
computers and those that criminals have
adapted for perpetration over international computer networks. A
large portion of computer crime can be understood
as new iterations of crimes that predate personal computers and the
Internet. Fraud, piracy, identity theft, credit card
theft, insider trading, and child pornography distribution are
examples of pre-PC era crimes that are now frequently
perpetrated via computer networks. Certain features of the Internet,
including instant communication, relative
anonymity, and international scope, have enabled criminals to commit
crimes more easily and with greater gain.
Acquiring money and goods with little effort is the primary goal of
such crimes (Goslar, 2000).
The second category of computer crime includes crimes unique to
networked computer environments. These
crimes include denial-of-service attacks, data destruction, Trojan
attacks, password theft, slave platforming, graffiti,
email-borne viruses, firewall attacks, and syn-flood attacks. Rather
than financial gain, what typically motivates the
individuals who commit such crimes is thrill-seeking; learning new
tricks; seeking the opportunity to show off
skills; becoming part of an exclusive community; taunting authority;
and enacting David vs. Goliath scenarios
(Goslar, 2000). Because these intrusions are often little more than
pranks, they exist in contrast to the blatantly
criminal "hard-core" computer crimes mentioned earlier.
In some cases the pranks are labeled "hacktivism," such as
politically-motivated graffiti on corporate web
sites that challenges the ideology of the company. For example, in
September 2000 a hacktivist defaced the OPEC
web with commentary including the statement, "I think I speak for
everyone out there … when I say you guys need
to get your collective asses in gear with the price of crude" (as
quoted in Knight, 2000). In another case, a selfdescribed
tagger nicknamed "Nemesystm" tagged sites such as the U.S. Navy
Patrol Squadron's with his lyrical
poetry (Lemos, 2000b). Scholar and cyber-liberties activist Doug
Rushkoff reports experiencing guilty pleasure
when they hear of hacktivist attacks, reveling in the subversive,
anti-hegemonic flavor of the pranks, viewing them
as fleeting reminders of the fact that the Internet was originally
developed with public funds and therefore rightfully
belongs to all citizens (Rushkoff, 2000).
The tolerance of ideological hacking is expected to wane as more
citizens go on-line more frequently and are
consequently affected by network slow-downs and site unavailability
caused by hacktivists and others. Civil
libertarians and privacy advocates, who cherish the remaining open,
free-wheeling "new frontier" remnants of the
Internet, have argued that increased publicity of attacks will result
in tighter government regulation and increased
surveillance of citizens' Internet activities in the name of national
security (United Press International, 2000). In
fact, in September, 2000 European and U.S. officials were finalizing
the world's first international cybercrime
treaty, which would require countries to allow police and government
agencies significant leeway in search and
seizure of computers and networks, despite strenuous objections from
privacy advocates (Gruenwald, 2000).
Hackers fear that unless the hacker/hacktivist community moves
aggressively toward self-regulation,
including the reining-in of "script kiddies" (young, unskilled
crackers) and those who write tools for them, corporate
and public pressure to crack down on hackers will result in a
witch-hunt. Old-guard hackers and network security
administrators who work toward responsible network use, so-called
"white hat" hackers, have admonished those
"black hat" hackers who disclose security holes to the public and
even create and distribute tools to allow script
kiddies to exploit the holes (Lemos, 2000c). Until self-regulation is
visibly effective in deterring network attacks,
businesses and government agencies will continue to advocate
increased restrictions.
E-commerce businesses and government agencies have reacted to
destructive computer network attacks by
calling for and attempting to implement tighter security measures and
more serious punishments for criminal attacks
against computer networks. Business leaders fear the lower profits
that could result because of loss of consumer
confidence in e-commerce and computer network security in general
(Robinson, 2000). This fear appears to be wellfounded,
according to a recent poll commissioned by the Information Technology
Association of America which
found that four out of five respondents doubted the U.S. government's
ability to keep computers secure (Reuters,
2000a). According to the head of the National Security Agency Lt.
Gen. Michael Hayden, even non-malicious
hacker break-ins cause great damage to public confidence, forcing the
NSA to redouble efforts to protect ecommerce
as well as military networks (Reuters, 2000b). The threat to
e-commerce is well-publicized in part
because businesses and commercial networks are the most common
targets of both hacktivists and crackers
(Rushkoff, 2000). In addition, companies are increasingly willing to
attach large dollar figures to their prevention
and recovery efforts, knowing that such publicity will bolster the
argument for legalizing more surveillance and
tighter restrictions on Internet use. Loss of productivity caused by
cracking has thus far resulted in billions of
dollars' worth of damage worldwide (Biagi, 2000), with a predicted
cost of $1.6 trillion for the year 2000 (Goslar,
2000).
The private sector and government agencies have focused
organizational resources on improved network
surveillance, better recovery of data, vigorous prosecution, and
harsher punishment. Corporations are able to
allocate significant resources to network security. American
companies spent $4.2 billion in 1999 for security
software alone, with a predicted increase to $7.4 billion by 2002
(Koerner & Glasser, 2000). Despite the large
monetary investment in security software, such software catches only
attacks by unskilled crackers. The recent highprofile
attacks wrought by script kiddies who used unsophisticated,
off-the-shelf attack programs are examples of
the type of attack that security software is designed to detect
(Taylor, 2000a). Highly-skilled security administrators
are necessary to detect and trace more sophisticated attacks, and
even so most high-level attacks go unsolved (Koch,
2000).
Workers with network security skills are in critically short supply,
typically leaving the military and other
federal agencies, where they received training, for more lucrative
private sector positions (Bajaj, 2000). Even though
network security workers' average annual salary increased 11.47% from
the previous year (Fujii, 2000), the
disparity between federal and private salary scales for security
administrators is striking: entry level workers with
the government earn at most $30,000 per year, compared to the $90,000
to $120,000 earned in the private sector
(United Press International, 2000). The increasing demand in the
private sector for skilled security experts forces
government agencies, schools, and other not-for-profit organizations
to compete in vain with the escalating salaries
and stock option packages that private sector companies offer to
skilled security administrators (Bajaj, 2000).
The inability of the government to compete for workers is
unfortunate, since arguably the national defenserelated
networks are the United States' resource most in need of protection.
Government agencies are concerned
about network attacks due to the possibility of unauthorized access
to and manipulation of secret government
information systems, including military systems. The current
rethinking of the very parameters of national security
is in part due to the threat of computer sabotage (Matthews, 2000).
However, the inability to compete with
corporations for workers has lead to serious gaps in the government's
network security. A recent congressional
investigation of federal agencies' readiness to repel network
infiltration netted an overall grade of D-, indicating the
high level of vulnerability throughout government networks (House
Subcommittee on Government Management,
Information, and Technology, 2000). Growing concern about network
vulnerability lead President Clinton to
propose a plan to spend $2 billion to protect national
infrastructure-related computer networks (United Press
International, 2000).
Among the efforts to combat malicious attacks are an increasing
number of "counterhacking" education
courses available. While higher education has been slow to catch on
to the need for high-level network security
training (Bajaj, 2000), private companies such as EDS, Foundstone,
and Ernst & Young have begun to offer courses
with names like "Extreme Hacking" which train corporate employees to
hack into their own networks in order to
better protect them. However, hackers such as Emmanuel Goldstein,
editor of the hacker publication 2600, assert,
"corporations can't teach hacking" (Taylor, 2000b). According to
Goldstein, "[hacking] has to be in you" (Taylor,
2000b), implying that even when corporations attempt to teach
technical skills, employees will still lack the innate
sensibility necessary to think like a hacker. This observation
suggests that if white hat hackers, civil libertarians,
business leaders, and government agencies believe in the importance
of acculturating computer-proficient
individuals toward responsible computing, such acculturation must
begin early. K-12 educational institutions
provide an opportunity for such acculturation to occur.
Schools as Hacker Training Grounds
Since Jeffersonian times, the public school has functioned as the
primary means of educating U.S. citizens to
live and work in participatory democracy (Botstein, 1997). While the
overt curriculum (defined as the easily
observable portions of the curriculum such as course offerings,
syllabi, and assignments) plays a major role in
students' academic education, the covert curriculum (school policies
and procedures, social activities, etc.) is crucial
in acculturating students to understand and learn to function within
the social and economic hierarchies outside
school walls (McAllister & McAllister, 1998). As networked,
Internet-connected personal computers become
common in public schools, computer-related covert curriculum becomes
an important yet understudied factor in the
educational programs of U.S. youth.
Hackers, crackers, hacktivists, and script kiddies typically first
learn and hone their computer skills at school,
where they usually have access to multiple networked computers with
little security software blocking their
experimentation. School is also often where they first encounter a
community of like-minded peers. Whether
students' curiosity and passion is directed toward white hat ethical
computing or toward black hat cracking depends
upon the school environment, including computer-related curriculum,
policies, and procedures. Understanding the
impact of pedagogical models employed by schools on the ethics
education and acculturation of young hackers is
vital to maintaining a balance between network security and the
protection of citizens' Internet civil liberties.
The constructivist theory of pedagogy, developed and championed by
scholars including Dewey (1897),
Bruner (1966), Piaget (1972), and Papert and Harel (1993), is a
theory in which students are conceptualized as active
creators of their own ideas and meaning, rather than as empty vessels
to be filled with knowledge by the professor.
Learning can only take place when students relate new information to
cognitive structures that exist in their minds.
An emphasis on integrating theory with practice via learning by doing
replaces rote memorization of facts because it
is through actively working with material, with peers or alone, that
students solidify their understanding on a deep
cognitive level.
Constructivists who advocate educational technology believe in freely
using flexible productivity tools such
as programming, word processing, spreadsheet, database, art, and
animation software to enable teachers and students
to tailor their computer use to their particular needs. The goal for
today's constructivists is to move away from
lecture-based instruction and multiple-choice testing, and instead
engage students in "project-based learning" where
students are more closely connected to "real world" concerns as they
work independently and in teams to define
problems, figure out what tools and resources they need to find and
analyze pertinent information (beyond the
textbook and the teacher), and come up with feasible solutions. The
skills of these "free range students" (Conte,
1995) closely match what corporations say they desire in employees
(team work, problem-solving, etc.). Among the
skills the students are learning is how to use computer technology
responsibly with minimal or no supervision.
Because schools have stepped up use of Internet-connected computers,
the issue of protecting network
security as well as preventing student access to inappropriate
on-line material has been an increasingly pressing
concern for school staff. Most schools, lacking trained network
security staff, opt for Internet content management
(ICM) measures, such as off-the-shelf filtering software and proxy
servers, as a stopgap measure. A May 1999
report by Quality Education Data estimated that usage of ICM software
in K-12 schools would increase to 71.5% in
the 1999-2000 school year over the 52.5% of U.S. school districts
that used ICM in the 1998-1999 school year
(Burt, 2000). As noted earlier, such software catches only the
simplest of network intrusions and abuses while
failing to detect or deter more sophisticated attacks.
Often school staff members lack even the most basic understanding of
types of hacks, leaving them unable to
discriminate between harmless, potentially harmful, and malicious
computing. One high school student was
reprimanded by school officials for malicious hacking when he
reported a security hole he found in the school's
password system. Another teenager, who thought his classroom
computer's Netscape settings were configured
incorrectly, was reported for hacking by a student aide when he was
simply looking at the browser settings (Lemos,
2000a). Incidents like these can lead student hackers to feel a sense
of disillusionment and distrust of school officials
when their efforts to help are unheeded or even punished.
ICM use teaches hacker and non-hacker students, in a covert way, that
they cannot be trusted to use
computers responsibly. Furthermore, it teaches students that school
staff member do not deem students capable of
learning to use computers responsibly. Not only does the use of ICMs
contradict the goals of constructivist
pedagogy, but such measures also represent an irresistible challenge
for hacker students who view network
restrictions imposed by school officials as an opportunity to
demonstrate their hacking prowess to their peer group
while simultaneously subverting institutional authority. Public
schools that are unprepared to handle network
security have few workable options for addressing the need to control
the actions of hacker students. The following
section of the article describes a school at which school staff
members gave up trying to control hacker students,
instead opting to harness and channel their passion and talent toward
helping the school as white hat hackers.
The Study Site
New Technology High School (NTHS) in Napa, California, opened its
doors to 220 juniors and seniors in the
fall of 1996. It was a public magnet school that featured
project-based, integrated curriculum; constant access to
networked, Internet-connected computers; and a school culture and
physical environment modeled upon that of a
high tech start-up business. I conducted participant observation data
from 1996 – 1999 while serving as the
Multimedia Instructor at the school. Sites of investigation included
school databases, email exchanges, classroom
observations, student-staff meeting observations, staff meeting
observations, and personal interviews with students
and staff (Van Buren, 1999).
NTHS students were required to meet Napa Valley Unified School
District (NVUSD) graduation
requirements, including reading District-approved novels and
textbooks, in addition to NTHS-specific requirements
in subjects that NTHS staff members deemed beneficial for college and
career success in the Information Age, such
as computer applications and new media design. Proficiency in word
processing, spreadsheet, database, and
presentation software served as a foundation for other courses at the
school; similarly, interactive multimedia design
skill was crucial during students' careers at NTHS because many
teachers required students to create interactive
multimedia presentations. Students could either take all their
classes at NTHS or spend part of their day at the other
high schools or the local college taking courses not offered at NTHS
such as marching band, chorus, and sports.
Students were required to complete at least four college classes and
complete work experience/internship hours in
order to graduate. Curriculum is academically rigorous; students
reported they work much harder at NTHS than they
did at their previous high schools (New Technology High School, 1997).
To attend NTHS students needed a 2.0 GPA or higher and must have
passed Algebra I. The moderate GPA
requirement indicated the desire of NTHS staff to attract a broad
range of students, from Advanced Placement
students to those who had failed to thrive in traditional schools.
Qualified students were required to attend an
informational meeting about the school with their parents or
guardians. Students who did not meet the entrance
requirements may enter an appeals process and gain admission after
writing an essay and participating in a 30-
minute panel interview with a committee of adults. In 1997-98, the
NTHS student body was more ethnically diverse
than at Napa's comprehensive high schools, with NTHS reporting 40%
students of color vs. 36% and 24% at the
other schools (California Department of Education, 1997). Sixty-three
percent of NTHS students were male, a
percentage disproportionate to the population at large.
The cultural environment of NTHS was that of a super-democratic
institution where students were
encouraged and empowered to speak, rabble-rouse, and cooperatively
shape decisions including disciplinary
policies. School planners hoped that a tremendously open environment,
including the interior architecture of the
building and the structure of the information network, would
encourage students to feel enfranchised within the
school's structure. The atmosphere at NTHS was one of openness,
vigorous discussion, freedom of mobility,
responsibility to others, and high visibility at all times. Students
at NTHS were actively socialized to make wellreasoned
demands of the school staff and other students, with the expectation
that institutional changes would occur
based on their demands.
Students and staff were recruited based on overt use of the high-tech
business metaphor. Because the school
sought "to prepare students to excel in an information-based,
technologically advanced society" (New Technology
High School, 1996) the school used high-tech business models whenever
appropriate to form policy and make
decisions. Rather than implement a multitude of restrictive policies,
staff members kept rules to a minimum while
emphasizing education about appropriate technology use and
responsibility to the organization. Students were
systematically invited to participate in policy discussions and
decision-making and were expected to behave as
responsible adults. The school did not use bells to prompt students
to go to class; instead students were expected to
be responsible for their own timeliness. Students did not have to
raise their hands to ask permission to get a drink of
water or go to the bathroom—they could come and go as they needed
unless they abused the privilege.
Computer use at NTHS fit precisely within the constructivist model of
technology implementation. The
school's open and unrestricted model of computer use was a major
feature of the attempt to implement a "high tech
business model" at the school. Planners distinguished the NTHS high
tech business model as one in which workers
were trusted to get their work done and act responsibly on-line. In
such open, trusting high-tech start up
environments, use of Internet filters and other computer restrictions
would destroy the corporate culture of openness,
camaraderie, creativity, and innovation. Pedagogy focused on teaching
students that they were in control of their
computers and could manipulate the hardware and software in order to
achieve academic goals. Computer hardware
and software products were high-quality, ample, and kept up-to-date
by the school's sponsors. Students and staff had
access to about 250 networked Pentium-chip PCs which meant that
students always had access to a computer when
required. The software used was business-grade software since a
primary goal at the school was to prepare students
for the workplace. Students had unfiltered access to email and the
World Wide Web (WWW) and used their
computers for research, database discussion, document retrieval, and
creation of school-related essays, journals,
research papers, and multimedia projects. Not all use of NTHS
computers is academic, however. Some students
formed a Games Club and met outside of instructional time to play
staff-approved computer games. During breaks
and after class students could use the computers for email and WWW
browsing as long as their use complied with
the District's Appropriate Use agreement.
Teachers used computers to post course information and assignments in
databases and on the WWW, email
students their grades and comments on school work, record and
calculate grades in grading software, perform
research for curriculum development, and develop and deliver class
presentations and lectures. Students and staff
used the computer network to arrange meetings and check schedules,
share important school-wide announcements,
and collaborate on projects by circulating files. According to
constructivist ideals for technology use, NTHS
exemplified a best practices model in the way that students learn to
responsibly control and access computer
technology.
The Computer Network Structure
As long as the trend of incorporating computer technology into school
curricula continues, the U.S. public
education system will increasingly be forced to grapple with the
following issues faced at NTHS during the study.
The description and analysis of the impact of computer use on the
covert curriculum revealed that, first, substantial
staff and student time was diverted from academic curriculum and
instruction because of student misuse and abuse
of the computers and computer network. Second, the disciplinary
system held different lessons for less-computer
proficient students than it did for highly-computer proficient
students, creating separate classes of students within
the high-tech school environment. Third, although technology abuse as
a type of school crime is laughable to most
officials from traditional schools, at NTHS it constituted a constant
struggle against high-tech abuse that, as noted
earlier, American law enforcement officials believe constitutes a
threat to the stability of the U.S. economy and
security.
Maintaining the stability and functionality of the NTHS computer
network for instructional use demanded
that control of network functions was restricted, albeit minimally.
Accidental or purposeful changes in the network
could have resulted in network crashes, disrupted and lost
instructional time, and extra hours of work for teachers
and the network manager. Even with software-based restrictions,
teachers and other staff members had to visually
monitor student use of computer technology and educate students about
appropriate use, adding to the already-full
workloads of staff. NTHS staff members dealt with diversions from
academics common to all schools due to typical
school activities (assemblies, rallies) and traditional disciplinary
activities (referrals for smoking, 'defiance'), and
other miscellaneous problems such as forgotten textbooks or school
supplies. These traditional school diversions
combined with the unique technology-related diversions at NTHS
resulted in an increase in personnel time required
to run the school and loss of instructional time for students.
Contrary to the myth that computers are labor-saving
devices that save educational dollars, at NTHS the computers added to
personnel costs. The minimal software-based
control of the network and individual computers that the school chose
to implement, as described below, helped only
a small extent to lessen staff workload.
Student access to the school network was restricted by individual
passwords, administered by the school's
network manager. No passwords, student or staff, were secret from
her. Students had two passwords: one for
logging on to the network, and another for accessing their Lotus
Notes accounts. They could log on to any computer
in the building and access their individual "My Documents" folders
housed on a school server and their Lotus Notes
files housed on a different server, giving them a high degree of
freedom and flexibility in moving about the building
throughout the day. Thanks to the World Wide Web, students and staff
could also access their Lotus Notes email
from outside the school by entering their usernames and passwords at
the school's web site.
Using the C-drives of individual workstations for saving files was
discouraged (but not prohibited) since the
C-drives were accessible to other students, making files vulnerable
to alteration or erasure. In addition to their own
password-protected folders on the school servers, students had read
and write access to other partitioned sections of
school servers, such as the Students on Server3 section (where
teachers and some administrative staff maintained
folders) and the WebServer on Server3 (where students posted their
web page folders for the school web site).
Students could use those publicly-accessible servers to view, post,
and copy files for staff and each other, but
students could not alter or delete files once they were posted in
these public areas of the network.
When the school first opened, staff members were very naďve about the
possible mischief and damage
students could cause when they had unrestricted access to the
computers and network. Computer-related discipline
problems were simply outside the consciousness of staff members. Our
initial expectation was that we would face
traditional disciplinary issues that public schools faced; we never
considered the possibility that students would
abuse the privilege of their access to high technology. Exacerbating
the problem of unpreparedness was that staff
lacked training in network security. For example, when the school
opened students had DOS access, but the network
manager soon encountered problems maintaining the functionality of
the network and individual computers because
of students who tampered with system settings.
NTHS staff members acknowledged that due to limited time, resources,
and expertise we could not hope to
completely control the school's computer network, especially since
some NTHS students possessed far superior
computer skills than all NTHS staff put together. As a result the
staff tried to enfranchise all students in the process
of building effective computer technology policy. Working from the
desire to build a "culture of trust" with
students, staff members began by trusting students to use the network
responsibly and educating them about how to
use the network responsibly.
Eventually the staff realized that despite the effort to build a
culture of trust, the school would have been
negligent if staff members did not monitor student computer use at
all. Staff members attempted to minimize the
need for monitoring by preventive education. All students and their
parents or guardians read and signed the
school's "Appropriate Use Policy" which detailed the school's
computer policies and procedures. Staff members
repeatedly reminded students that the whole world was watching the
school's progress, and students should conduct
themselves as if the world was looking over their shoulders. Students
had been invited twice in the first three years
of the school's operation (1996-1999) to help develop the school
technology policy. Known and potential hacker
students were repeatedly invited to serve as network consultants and
troubleshooters, performing such white hattype
tasks as helping to plug network security holes and assist in the
formulation of network policy and procedures.
Teachers and staff members actively socialized students to view the
technology resources as privileges they enjoyed
rather than resources to which they were entitled. We frequently
reminded students that the computers and networks
were owned by the school district, and that school facilities were
for educational use only.
The monitoring at NTHS was minimal. Teachers looked at students'
computer monitors in the course of
walking around to help students, watching for signs of inappropriate
activities. The network manager installed a
program on each computer that tracked installation of applications by
comparing what was installed on the machine
at last start-up to what was installed on the machine at the current
start-up. When new applications were noted the
manager was able, as her busy schedule allowed, to look at the log-on
records and see who was last logged on to that
particular computer, indicating who installed the software without
permission. Students were aware that staff could
read their email and track web site visitation, as well as read
postings on the various discussion databases that the
school offered.
Even the minimal network restrictions in place at NTHS have incensed
the school's more computer-proficient
students. Accustomed to having complete control over their home
computers (and in some cases, home computer
networks), such students arrive at NTHS expecting to have similar
control over school computers. This caused
computer-proficient students to complain bitterly, eventually driving
them underground to constantly and
surreptitiously test the network for holes in security. However,
students were also aware that the staff was so busy
with curriculum development, teaching, research, staff development
and training, student tutoring, discipline,
parent-student conferences, staff meetings, grading, preparing for
conference presentations, and other duties that we
rarely had time to monitor student use of the network. The times that
I caught students misusing or abusing the
computer network were entirely by accident and in person (for
example, I happened to walk by a student's
workstation and see the "download file" window open on the monitor,
or see an email with obscene language),
rather than because of systematic electronic monitoring.
Non-Proficient Students
The less-computer proficient students appeared for the most part to
follow the appropriate use guidelines
established through the "culture of trust" campaign. Although they
occasionally misused email, the Web, and
databases by engaging in social/recreational use during class time,
and were punished accordingly, they did not
attempt to penetrate or bypass network security blocks or damage the
system. Low-level abuse of the network was
easily discovered and traced by school staff, leading non-proficient
students to fear being caught. As a result, nonproficient
students learned to fear monitoring and punishment.
The definition of appropriate use of email, discussion databases, and
software of various kinds involved
refraining from activities that will damage the school's culture,
reputation, or network. Students were not allowed to
create sexist, racist, homophobic, obscene, or otherwise harassing
messages using words, images, or sounds.
Students were not to send large files over email in order to avoid
overloading and crashing the email system.
Students were not to use the network recreationally during
instructional time, i.e. sending social email or social
database postings during class time, unless they have finished their
assignments. These limitations were in keeping
with the "business model," since similar limitations were in place in
various businesses to avoid lost productivity
and harassment lawsuits. Knowing that students more readily accepted
limitations if the limitations are framed in
terms of "business standards," teachers periodically discussed recent
cases in which a worker was fired for viewing
pornography at work, or for sending harassing email from an
employer's computer network. That the limitations on
computer use also kept NTHS within the California Educational Code
guidelines pertaining to the maintenance of an
appropriate educational environment was rarely discussed with students.
Controlling appropriate use of student email proved difficult. The
existence of email groups in the school
email address database allowed standard messages to reach large
groups of people quickly and easily. These groups
include "Staff," "Junior Students," "Senior Students," and
"Students." Teachers were able to make email address
groups for their classes. For example, I could send email to my
students, period by period, regarding assignments
and multimedia contests. Students quickly realized the power of being
able to send a message to a large group of
people. On the second day the school was open in 1996, which was the
first day that students' email accounts were
functional, a student sent an all-student email containing a picture
of a skull-and-crossbones with the message
"Death to all students." Because no staff members were on the
"Student" email group, we did not know of the
message until recipients complained to us about the message as a
death threat. The sender of the email, who claimed
that the message was a joke, was immediately called into the school
director's office and sent back to his previous
high school. After this incident staff members were included in all
official student group email address lists, and
students were required to secure and note staff member permission
when sending all-student email (Figure 1).
Figure 1: Example of Permissible All-Student Email, 1999
FROM: Amanda (5/27/99)
TO: Students
SUBJECT: Raffle
Attention Students! Friday Night Live will hold a drawing for 2
passes to Six Flags Marine World.
You may purchase a drawing ticket for $2. Buy as many as you like.
Tickets will be on sale in the
front hall during break tomorrow. Drawing will be held on Monday,
June 7 and one lucky winner
will walk away with the two passes.
Ms. Matzke gave me permission
Figure 2: Anonymous External All-Student Emails, 1999
FROM: SuperFreak <[log in to unmask]>
(4/21/2002)
TO: Students
SUBJECT: hi everybody
hello boys and girls.
FROM: [log in to unmask] (11/20/98)
TO: Students
SUBJECT: hello
i love you all.
FROM: [log in to unmask] (5/14/99)
TO: Students
SUBJECT: dear josh
thanks for giving me your email address.
I think that you are dumb.
Have a nice day.
FROM: [log in to unmask] (5/18/99)
TO: Students
SUBJECT: asdfjkl;;lkjfdsaasdfkl;jj
Asjidfljkas;fljakknsvdo,w/qngv/wnSDhgo:qi/awv/lzcoiIQWE'24 92878:0AD
9ur08 2y /HLADJjL?KDSGDgPU30RhnAV?as:flakknsvdo:w:/qngv/wnSDhgo:qi/awv/lzcoiI
[repeated 81 more times]
Figure 2: Anonymous External All-Student Emails, cont'd
FROM: [log in to unmask] (5/18/99)
TO: Students
SUBJECT: m-eye eye-denti-ty
I yam da terror dat lurks in da nyte…. I yam de un forseen
cir-cum-stance behind all that is
just… u will never discover my identity….you will never discover me…
for I am and always
will be the phantom menace that will forever be unseen…. u all will
nevah know…and u can
never track me down…. bwa ha ha ha ha….
FUCK U ALL FUCK U ALL FUCK U ALL FUCK U ALL FUCK
[last line repeated 41 more times]
FROM: Hombre con los huevos a [log in to unmask]> (5/26/99)
TO: Students
SUBJECT: por favor
Dear Javier,
How are you? I am ok. Ever since you fled to America I have been
lonely. It's been tough without
you, but because of the all the loving that the men in the village
are giving me, I am not always
depressed. Come home soon.
Your Hot Latin Lover,
Fidel
This policy did not address what was possible due to the
proliferation of web sites that offered anonymous
email accounts. Sites such as hushmail.com, china.com, and
latinmail.com allowed anyone to establish an email
account under a name of their choice. For students and others who
wished to send anonymous email to people
within the school, such sites offered the power to communicate
without responsibility for the message. In May, 1999
the school suffered a rash of anonymous all-student emails (Figure
2), mostly innocuous in nature with one that was
both threatening and vulgar. Two of the messages contained large
quantities of text that when sent to every student
in the school could clog the email server to the extent that the
server might crash. One email was sent by someone
who managed to create a fake school email account
("[log in to unmask]"). This and one other email
contain bogus dates, indicating that the sender deliberately changed
the date and time on the sending computer to
make the prank more elaborate. The existence of numerous web sites
that offered anonymous email meant that even
if NTHS moved to block mail from a specific email account or even a
specific provider, a student bent on sending
anonymous emails could simply switch account providers over and over again.
Despite the relatively benign nature of these anonymous messages,
they nonetheless sent a sobering message
to the school, particularly to school staff. The senders wished to
remind us of the school's vulnerability. The emails
announced the power these people possess to subvert school rules with
impunity, as well the potential damage these
people could cause if they so desired. It was tempting to view these
email pranks as mere high school foolishness,
but there were unmistakable parallels between the NTHS incidents and
other incidents of hacker tampering at the
corporate and governmental levels.
In response to the anonymous emails an NTHS teacher who also served
as the school web site manager sent
out an all-student email hoping to send the strong message that the
offender(s) were jeopardizing the openness of the
school's information system:
The recent flood of outside e-mail is a good example of the problems
of having an open
network. Although some students use outside e-mail accounts
appropriately (to send
themselves assignments from home, etc.) a few students who misuse our
web access could
force us to tighten the network. It would take very little effort to
put our access of the web
through a proxy server which would limit access to sites the staff
pre-selects, or to remove the
e-mail option for Lotus, or to use only the electronic library and
remove all WWW access.
The rest of the nation is watching us to see if an open network can
work at a public school. As
in any government structure or institution, unless each of us acts
responsibly and encourages
others to do the same, it will be much easier to remove liberties.
This summer, the staff will be making those decisions as we update
our system for next year.!
The behavior of you and your peers during these last few weeks will
be fresh in our minds.! If
you agree with the staff that an open network is what we want, then
please use our network in
a professional manor [sic].
If you have any thoughts on the matter, please e-mail them to the
Tech Management Team (P.
Curtis, personal communication, May 28, 1999).
One attempt at systematic electronic monitoring was quickly
abandoned. In Fall 1998 a highly computerproficient
student approached school staff with an idea for an electronic method
of monitoring web site use on
campus. He proposed installing what is called a "Unix box," which
would allow the constant and complete
recording of every web site visited by everyone in the building. The
school director and network manager agreed to
let him install the Unix box, and within the first 30 minutes of
tracking, people in the building visited dozens of
obviously inappropriate sex-related web sites. By noting the
computers from which the sites were accessed and the
time of access, the network manager could then determine who was
logged on to the computers at the time of
access. Quickly the record of inappropriate site visitation became so
staggering that the school director removed the
Unix box because he did not have time to discipline all the
transgressors. The director also noted that the Unix box,
like filtering software, contradicted his desire to build a "culture
of trust" with students at the school. In this instance
the school chose to ignore the problem rather than reallocate time
and resources to deal with the problem.
Hackers
In contrast to the activities and lessons learned by non-computer
proficient students, hacker students, who
clearly knew how to use computer technology much better than staff,
scoffed at the school's policies and procedures
and knew that they could move in and out of the school network and
engage in other inappropriate computer activity
without being detected.
A group of three such students, all boys, agreed to be interviewed
for the study regarding what they knew was
possible in the way of infiltrating the school's computer network and
individual computers. These boys expressed
their views about hacking. For these boys the goal was to determine
what security holes existed and what damage
they could do, but did not do, to the network. An additional thrill
in the case of hacking the school system was the
secret knowledge of their technological superiority to the adult
staff members at NTHS. I approached them as
informants, carefully characterizing what I wanted to know as
activities they knew were possible, not necessarily
activities in which they themselves had engaged. Some of these
students had already helped the school director plug
security holes in the school's network. Nevertheless, because the
conversation could lead to disciplinary action by
school staff I protected their identities in order to understand the
extent and nature of actual and potential computer
system abuse at NTHS. What follows is a description of actual and
potential transgressive computer activity at the
school gleaned from a personal interview with students.
When asked to describe activities that students could engage in at
school that could potentially damage the
school computer system, the students' responses filled three
hand-written pages of notes. Activities could be placed
into two categories: nuisance-producing activities and
maliciously-damaging activities. The activities could create
physical damage to computer hardware; software-based damage to
individual computers; and software-based
damage to the computer network as a whole. The cost of overcoming
such damage ranged from the expenditure of
small amounts of staff and instructional time and money to
expenditure of large amounts of staff and instructional
time and money. In the case of data loss the risk involved
irreparable loss of student and staff privacy if confidential
grade, personnel, and address information is accessed.
Theft of software and hardware was the first activity the students
mentioned. Students can steal software
applications by taking the actual disk or CD on which the licensed
software was delivered. They could also copy
software from school computers or download illegal copies of software
posted at "warez" sites on the Internet.
Downloading from the Internet at NTHS was appealing because the
school's high-speed Internet connection allowed
students to gather more software in a shorter amount of time than
they would be able to gather at home on slower
Internet connections. If students installed the software on NTHS
machines the school is liable for software license
violation. Students can also copy the software to Zip disks or
CD-ROMs at school to take home and install on other
computers or distribute freely to others. The school made no attempt
to track the extent of software theft but did try
to minimize unauthorized installation of software on school machines
through education, the executable application
detection program described earlier, and walk-around monitoring by teachers.
Minor nuisance-causing network activities were the equivalent of
mischievous student pranks. Students could
change the network log-on screen information in subtle ways (for
example instead of the required domain name
NAPA_NTHS, a prankster typed NTHS_NAPA or some other variation). When
the next student attempted to log on
to the network he or she got an error message and usually could not
figure out what the problem was, requiring
teacher assistance which in turn delayed instruction for the entire
class. Pranksters also typed vulgar words into logon
windows for the next student to read before logging on, the
equivalent of on-screen graffiti.
Pranksters wrote and installed tiny computer programs that created a
nuisance but did not damage anything.
Rather these programs waste instructional time as students and staff
work to figure out the problem. For example,
one student-created program automatically logged students off the
network as soon as they logged on, in effect
shutting them out of the network until the program was disabled.
Students wrote programs in Lotus Notes which
were executed by clicking on an on-screen button. They sent the
buttons in email to other students with the simple
message "click me." When recipients clicked the button, hundreds of
email messages were automatically sent out,
sometimes with offensive messages that appeared to be sent by the
hapless button-clickers. The dilemma for the
button-clickers then became whether to take the blame for the email
spam they inadvertently sent out or to turn in
the senders of the "click me" buttons.
Other abuses of the NTHS network were more sinister. Occasionally the
school was "nuked," causing the
computers to get "bluescreened." This meant that someone ran a
program called Win Nuke on the school computers,
causing the machines to lose their network connectivity, lose any
unsaved data, and require restarting. Win Nuke did
not cause permanent damage, but it did delay instruction, cause
students and staff to lose data, and serve as a
reminder of the school's vulnerability to technological terrorism.
A more malicious program called Back Orifice (a name parodying the
Microsoft Back Office software)
plagued the school in Fall 1998. Back Orifice was surreptitiously
installed on several NTHS machines, enabling
remote control of the infected computers. The implications of Back
Orifice installation were quite grave. For
example, the program allowed the installer to remotely control the
computer desktop, restart the computer, display
pop-up messages to the user, read files including temporary files
containing password information, record
keystrokes, send email from the user's account, and capture screen
shots of the user's monitor. If a video camera
was installed on the user's computer, Back Orifice allowed the remote
installer to control the camera and take video
shots of the user surreptitiously. The ability of Back Orifice
installers to access and maliciously use confidential
information in a school setting was very serious cause for concern.
The students I interviewed revealed that the entire school network
had been open to hackers. Everything –
including the school web server, student and staff servers,
individual student and staff network accounts, email
accounts, and individual hard drives – was accessible to motivated
hackers from both on- and off-campus. The
implications of this unauthorized access on the privacy of students
and staff were profound. Because the network
manager had saved a text document in her files containing all NTHS
passwords, finding the school passwords was
as easy as opening a text document. Student records, staff
discussions on the database, staff email regarding student
grades and behavior, and student grade databases were accessible.
Reading these files, editing them, and sending
email in another person's name was possible. This had been the case
from Fall 1996 – Fall 1998, until the school
moved its Internet connection from a commercial service provider to
the NVUSD wide area network. The students I
interviewed maintained that despite the move to the NVUSD network
they could still, with a great deal of work,
gain access to the entire NTHS network because of security holes.
I questioned my interviewees about how to solve the problem of
network security in poorly-funded public
institutions, and they could not come up with any suggestions. They
believed that there would always be security
holes in computer systems that leave information vulnerable to
attack. However, they maintained that overall NTHS
hackers were non-malicious, and offered the fact that nothing serious
had happened to the school networks as
evidence of their peer groups' beneficent nature.
Consequences
When misuse and abuse of the network occurred, offenders who were
caught were punished by having their
network privileges removed for a period of time, in essence an
in-house suspension from the system. Students who
are "off the system" receive their assignments via printout and turn
their work in by writing by hand or using
computers at the city/county library, Napa Valley College, or at
home. In some classes, such as in the multimedia
class which required the use of expensive computer animation software
generally not available anywhere else,
project deadlines are extended until the student is back on the
system. After the initial expulsion from NTHS (the
email death threat situation discussed earlier), the political
difficulty of sending NTHS students back to the other
Napa high schools prevented even those students who repeatedly abused
the network from being sent back to their
previous high schools. On only three occasions did the school
director successfully convinced repeat network
abusers and their parents that returning to the previous school
offered the best solution for timely and trouble-free
completion of high school requirements. In these cases, the return to
the previous school was entirely voluntary, thus
avoiding giving the other school principals grounds for complaints
about "dumping" of problem students.
Over the course the study, I noted that it was typically a small
portion of the less computer-proficient students
who made mistakes when misusing the computer system and are
consequently caught and punished. The school's
Appropriate Use Policy and attendant disciplinary system functioned
as a strong deterrent against malicious
behavior on the part of less computer-proficient students,
socializing them to accept limitations on the uses of
computer technology in public settings. Highly
technologically-skilled students, on the other hand, remained
unconvinced of the school's ability or desire to follow through with
technology-related discipline. The hacker
students I interviewed found the school's disciplinary policy on
system abuse laughable, saying it served no
deterrent function whatsoever. Because word of the Unix box incident
quickly spread among them, in which school
administration chose to ignore the conduct, hackers learned that the
school staff would not or could not work
seriously to enforce appropriate network use. These students felt
quite secure in their ability to hack into the school
system without being traced or punished. Because these hacker
students possessed technology skills far superior to
staff skills, in reality the hackers truly were beyond policing by
staff. The striking resemblance between NTHS
computer crime and computer crime in the larger society indicates
that NTHS hackers were using their time and
access to high-speed technology at school to further develop their
hacking skills. For these students the covert
curriculum was one in which their sense of superiority over the
adult, non-technological world was reinforced.
The problem of network security holes is not specific to NTHS or any
other school. Rather, security breaches
are a hazard faced by all public and private institutions that use
Internet-connected computer technology. Ensuring
network security requires the expensive time and expertise of
highly-skilled computer professionals, a luxury which
schools and other public institutions can rarely afford. In the case
of public institutions, which are supposed to
inspire trust in the citizenry and represent stability in the face of
societal changes, the vulnerability of confidential
and sensitive information becomes a public safety issue. In a K-12
setting the particular vulnerability of minors
escalated the need to protect their confidential information from
unauthorized access.
The contributions of this analysis are significant to the degree that
computer technology is blended into
American high school classrooms. Tremendous staff and student time is
channeled from academic curriculum and
instruction because of student misuse and abuse of the computers and
computer network, requiring more, not less,
personnel time. This finding refutes the myth that computers are
labor saving devices that will replace teachers and
other school staff. The computer technology policies and procedures
at NTHS, in the context of the overall strategy
of constructivist pedagogy, contributed a great deal to the covert
curriculum and the development of the educational
culture of the school. The strategies employed by staff members to
enfranchise hacker students can be seen as
partially successful in that some students apparently hacked the
network, but did so largely without malicious intent
and without serious harm. Some hacker students were successfully
recruited as white hat hackers who helped to
troubleshoot and secure the integrity of the network.
Conclusion
Societal unease about computer network security has the potential to
threaten cyber-liberties currently
enjoyed by Internet users around the globe. Corporations and
governments may see no alternative to restrictive laws
unless Internet users, cyber-liberties activists, and hacktivists
work together to create a culture in which responsible
hacking is rewarded and destructive hacking is discouraged. Groups
concerned about developing an overall
computing culture which maintains a balance between cyber-liberties
and cyber-responsibility should work with
educators to develop and implement ethics-based computing curriculum
for K-12 schools. Further study of
pedagogical models that foster student self-responsibility and
ethical computing habits is necessary to develop a
range of best-practices models from which educators can work.
Bibliography
Bajaj, V. (2000, Mar. 12). Web security posts hard to fill with
skilled workers. The Dallas Morning News, 22L.
Berinato, S., & Ferguson, R. (2000, Sep. 15). Hack alert: Where's the
outrage? EWeek [On-line]. Available:
http://www.zdnet.com/eweek/stories/general/0,11011,2628787,00.html
Biagi, S. (2000, Oct. 2). A personal touch. Telephony [On-line]. Available:
http://www.internettelephony.com/asp/ItemDisplay.asp?ItemID=11222&AreaID=8.
Botstein, L. (1997). Jefferson's Children: Education and the Promise
of American Culture. New York: Doubleday.
Bruner, J. (1966). Toward a theory of instruction. Cambridge, MA:
Harvard University Press.
Burt, D. (2000, July 20). Written Testimony of David Burt, Child
Online Protection Act Commission [On-line].
Available: http://www.copacommission.org/meetings/hearing2/burt.test.pdf
California Department of Education (1997, October). CBEDS Profile
(CBEDS-EE9), Napa County, Napa Valley
Unified School District.
Carnevale, A., & Porro, J. (1994). Quality Education: School Reform
for the New American Economy. Washington,
D.C.: U.S. Department of Education, Office of Educational Research
and Improvement.
Conte, C. (1995, October 20). Networking the classroom. CQ Researcher
pp. 923-943.
Dewey, J. (1897). My pedagogic creed. Reprinted in J. Boydston (Ed.)
(1967-1991). The collected works of John
Dewey. Carbondale: Southern Illinois University Press.
House Subcommittee on Government Management, Information, and
Technology (2000, Sept. 11). Report card on
computer security in the federal government. Committee on Government
Reform [On-line]. Available:
http://www.house.gov/reform/gmit/hearings/2000hearings/000911computersecurity/000911.htm.
Fujii, R. (2000, Apr. 3). Companies employ multiple defenses against
computer hackers. The Record [On-line].
Available: Electric Library http://www.elibrary.com.
Goslar, M. (2000, Sep. 6). Cracker attacks for a different reason.
Enterprise [On-line]. Available:
http://www.zdnet.com/zdnn/stories/news/0,4586,2624613,00.html?chkpt=zdnnmoreon
Gruenwald, J. (2000, Sep. 25). Nations struggling to fight
cybercrime. Inter@ctive Week [On-line]. Available:
http://www.zdnet.com/zdnn/stories/news/0,4586,2631389,00.html
Knight, W. (2000, Sep. 15). OPEC web site defaced. Enterprise
[On-line]. Available:
http://www.zdnet.com.au/enterprise/security/stories/au0005622.html
Koch, L. (2000, Jul. 6). Open sources: Preventing cybercrime.
Inter@ctive Week [On-line]. Available:
http://www.zdnet.com/intweek/stories/news/0,4164,2601565,00.html
Koerner, B., & Glasser, J. (2000, Feb. 28). Who can stop
cybervandals? U.S. News and World Report [On-line].
Available: Electric Library http://www.elibrary.com.
Lemos, R. (2000a, Jul. 14). Hard times at hacker high. ZDNet News
[On-line]. Available:
http://www.zdnet.com/zdnn/stories/news/0,4586,2604043,00.html
Lemos, R. (2000b, Jul. 12). Script kiddies: The net's cybergangs.
ZDNet News [On-line]. Available:
http://www.zdnet.com/zdnn/stories/news/0,4586,2602573,00.html?chkpt=zdnnmoreon
Lemos, R. (2000c, Jul. 26). Silence the best security policy. ZDNet
News [On-line]. Available:
http://www.zdnet.com/zdnn/stories/news/0,4586,2608077,00.html
Matthew, R. (2000). The environment as a national security issue.
Journal of Policy History 12(1), 101-122.
McAllister, P. & McAllister, K. (1998). Critical Resources in
Teaching with Technology: Introduction to Techno-
Critical Pedagogy [On-line]. Available: http://www.engl.uic.edu/~stp/intro.htm
New Technology High School (1997). Focus Group Comments.
Self-published document.
New Technology High School (1996). Napa's New Technology High School:
A U.S. Department of Education
Demonstration site. Self-published brochure.
Papert, S., & Harel, I. (Eds.). (1993). Constructionism. Norwood, NJ: Ablex.
Reuters (2000a, Oct. 16). Americans question cyber-security. TechTV
[On-line]. Available:
http://www.techtv.com/cybercrime/hackingandsecurity/story/0,9955,3005501,00.html
Reuters (2000b, Oct. 16). NSA chief: We protect cyberspace. Wired
News [On-line]. Available:
http://www.wired.com/news/print/0,1294,39476,00.html.
Rushkoff, D. (2000, Feb. 10). Recent Internet attacks are a reaction
to the commercialism of the Internet. All Things
Considered, National Public Radio. [Online]. Available: Electric
Library http://www.elibrary.com.
Robinson, C. (2000). Electronic commerce commands canny insight into
hacker moves. Signal 54(9):53-56.
Taylor, C. (2000a, Feb. 21). Behind the hack attack. Time, 44-47.
Taylor, C. (2000b, Mar. 22). Business: Cracking the code. Time, 60.
United Press International (2000, Jan. 7). Clinton announces security
plan [On-line]. Available: Electric Library
http://www.elibrary.com.
Van Buren, C. (1999). High technology learning at "The School That
Business Built": Perceptions of education at
New Technology High School (University of Texas at Austin,
unpublished dissertation).