Learning From Learners: Some questions asked at security trainings

As I’ve said in previous posts, it is critical to understand learners’ mental models of a system you are teaching them about, in order to help them build accurate understandings of the technologies they are using. Questions that attendees ask in security training sessions can be useful to understanding some of the misconceptions learners come in with.

Here are a few that were asked by people in two recent training sessions I attended: the Tor session OpenITP ran a few months back, and a journalist security training run by the Tow Center at Columbia University. (I should note: I’m attending as someone who’s still a learner myself, with a few pieces in place but mostly still puzzling out how anti-surveillance software works.)

“Can you get a virus from Tor?”

“If someone is using Skype on their machine and also serving as a Tor bridge, are they compromising our connections?”

“If I’m on Gmail would you also be able to hack from there?”

“Is it not a good idea to use multiple forms of protection?”

The first two questions suggest muddled conceptions of how a computer works — which are totally reasonable, given that most people never have to learn anything about where viruses come from, much less how ports, operating systems, or layers work; they rely on other people (the Geek Squad, the Genius Bar, the kid next door, the office IT staff) to know that for them. I’m convinced that by anticipating and proactively addressing more questions about computer systems, we can fend off some of these misunderstandings.

torcomic-#004_p001

It’s important to ensure everyone’s talking about the same thing, or learners’ mental models might be built wrong. Defining your acronyms (maybe even Tor?) is one step to take.

It occurred to me that the person asking the virus question might not be making the distinction between “viruses,” “malware,” and “my computer is acting weird and dubious” — distinctions a lot of people don’t make.  The trainer explained that TOR protects you from getting viruses because it creates a tunnel (if I remember correctly). But I and a couple of other people then jumped in to point out that malware frequently comes from something on a website which you click accidentally, so Tor could potentially pass that on to the user. The trainer explained there are also tools in the Tor Browser Bundle which help protect against malware, Noscript being one of these. He noted that Flash content could also potentially transmit unwanted effects to your machine.

So the questioner’s concern about malware coming through Tor is not misplaced. However, the answer to a question like this should be prefaced by some questions about what the asker knows about malware, then address different varieties of malware and how they get onto your machine.

The second question, about Skype, came after the presenter had said that Tor is likely to be compromised if you have any other applications open while you install it.

Among those of us learning about security tools, there’s some confusion about whether and how different Internet traffic streams “mix” or “cross” inside our machines, and whether that presents a threat. I say “us” because I’m also unclear on this at the moment. I can’t explain the reasoning behind the instructor’s warning about having other things open while installing Tor — or for that matter, judge whether it’s true.

The confusion about what’s happening when there’s two different applications running on a machine also came up in another set of questions at the Tow Center training, while Seamus Twohey was presenting on how networks work:

Q: If we have CNN open, at what point are we not sending [data in the clear]? (CNN notoriously does not use https, the encryption protocol for web traffic that banks, Gmail, and many other sites use.)
A: The security chosen is the one for that set of packets, the ones going to and from CNN.
Q: But if I’m on Gmail would you also be able to hack from there?
A: It depends on what info [the attacker is] looking for. If they’re looking for metadata, and they want to figure out who you’re talking to and where you’re talking from, they could build a profile of you (we know this is all the same gmail address, for instance). That stream is going through same path (router etc) but it is encrypted.

Seamus’s slides and a number of other training materials (most of the EFF graphics on Tor, for example) do a good job of making clear the potential places we’re vulnerable between our own machines and the sites and services we’re trying to access. What they are a little light on right now are the relevant aspects of how our own machines work. I talked with Seamus about things that might be added to his (totally fabulous) slide deck. Ports came up, but Seamus thinks that will be going into too much detail and will make people’s eyes glaze over. I’m still not sure; it seems to me these questions indicate a need to mention them, even if briefly.

The original “is it not a good idea to use multiple forms of protection?” question was actually a bit longer, and showed off an interesting case of a learner’s prior knowledge influencing how they thought about information systems:

“I’m a nurse, and sometimes nurses believe that using two latex gloves per hand is better than one. I noticed Tor and DuckDuckGo don’t work together… is it not a good idea to use multiple forms of protection?”

As she explained to me later, using two gloves is a good idea with chemotherapy, where you wear a loose glove over a tight one, but not with other use-cases for latex gloves. (Oddly enough, I remember having to make a similar point to kids in a sex-ed class about multiple-condom use. Friction isn’t your friend, folks.) This actually makes for a surprisingly apt metaphor: two physical barriers can make for double protection, or can make for dangerous friction. And the problem in this case was friction (though not so dangerous): the search engine/browser plugin DuckDuckGo uses Javascript, and of course the Tor browser bundle includes Noscript, which breaks that.

One last thing that came up in both trainings was the use of acronyms — for protocols, for tools like IRC, for anything that is not screamingly obvious to a huge range of people. Any acronym used repeatedly needs to be translated at some meaningful point in a training. In the Tor presentation, someone asked the presenter to explain what “clear text” or “sending in the clear” was after hearing HTTPS mentioned a handful of times, indicating the difference between HTTP and HTTPS had not been made clear. A roleplay scenario at the Tow Center mentioned that Anonymous uses IRC; in a group of maybe ten journalists, five had not heard of IRC.

I’ll address two more questions in the next post, as I get the sense they were influenced by graphics which were a bit confusing.

Post a Comment

Your email is never published nor shared. Required fields are marked *