I must admit, I chuckled when I saw the article by The Mirror, warning that a generation of “amoral and disruptive youngsters who use their skills to kick against society …with many using the skills they picked up in lessons”.
Anyone who has been in the classroom with a bunch of mixed-ability Y9 students, trying to encourage them to write/adapt a program to switch on LEDs or play rock-paper-scissors, knows that classrooms aren’t exactly a hotbed of sedition.
However, I find myself in a genuine ethical dilemma when it comes to GCSE Computer Science.
The new OCR J276 specification includes specific references to online security. As expected you get some stuff on legislation (including data protection & computer misuse), references to anti-malware, firewalls, user access levels and passwords. You now also get mention of encryption, penetration testing and network forensics.
Encryption – no problem. It’s a little vague but there are no specific mentions of algorithms (as you get at AS level) so I dare say we’ll look at the Caeser Cipher, probably Pigpen and a couple of others – moving up to the purpose of online encryption.
The interesting bit is the addition of penetration testing and network forensics. My experience in this area is pretty limited (I once cracked a neighbour’s WEP key just to see if I could, but that’s about it). Forensics; I suppose I could look at the logs on one of our servers or have a look at ownership of files in Linux but other than that I’m a bit stumped.
The one I’m pondering, though, is penetration testing (thankfully shortened to pen testing in common parlance – I can’t imagine the sniggering this is going to induce). The aim is to try and find vulnerabilities in a computer system. And the best way to teach about it (in general) is by doing it. So, I’ve been looking into methods and software to set this up in a classroom.
I could install Kali Linux on a Raspberry Pi and use it with a home-made LAN that is totally separate from the main network, or I could use the awesomely named MyLittlePwny (based on the PwnPi OS). With a little LAN built up of various Windows boxes, a spare (outdated) Mac and some Pis I suppose I could get the students to explore and experiment. But then I suddenly find myself drawn back to that article in the Mirror.
This year I’ve already had to intervene with some Y10 Computer Science students, one of whom thought it would be funny to copy a batch file that would delete/rename work in the user’s home directory and a couple of others who thought it would be fun to distribute it around the class. Do I really want to give those students links and hands-on experience with a more powerful arsenal?
Of course any lessons on these topics would need to be bookended (and interlaced) with discussions of morality, legislation and the difference between white-hat, grey-hat and black-hat hackers.
Another option is to make use of free online games (e.g. Hacker Experience or Slave Hack), maybe even looking at some paid-for desktop/mobile alternatives (e.g. the intriguing looking Top Secret, the assembly language simulation TIS-100, the retro hacking classic Uplink, its nephew Hacknet or the bizarre but engrossing looking Else Heart.Break()).
I’m not really sure what my conclusion is yet. I think that lessons in pen testing and identifying vulnerabilities in order to fix them are a good thing in principle. In practice, I’m not sure how akin it is to teaching self defence, only to find one of your students used their new skills to go and mug someone.