Learning From Learners: Some questions asked at security trainings

As I’ve said in previous posts, it is critical to understand learners’ mental models of a system you are teaching them about, in order to help them build accurate understandings of the technologies they are using. Questions that attendees ask in security training sessions can be useful to understanding some of the misconceptions learners come in with.

Here are a few that were asked by people in two recent training sessions I attended: the Tor session OpenITP ran a few months back, and a journalist security training run by the Tow Center at Columbia University. (I should note: I’m attending as someone who’s still a learner myself, with a few pieces in place but mostly still puzzling out how anti-surveillance software works.)

“Can you get a virus from Tor?”

“If someone is using Skype on their machine and also serving as a Tor bridge, are they compromising our connections?”

“If I’m on Gmail would you also be able to hack from there?”

“Is it not a good idea to use multiple forms of protection?”

The first two questions suggest muddled conceptions of how a computer works — which are totally reasonable, given that most people never have to learn anything about where viruses come from, much less how ports, operating systems, or layers work; they rely on other people (the Geek Squad, the Genius Bar, the kid next door, the office IT staff) to know that for them. I’m convinced that by anticipating and proactively addressing more questions about computer systems, we can fend off some of these misunderstandings.

Continue Reading »

Bicoastal Disorder (DSM-V Definition)

And now, for a brief comedic interlude. I’ve been sitting on this DSM-V-parody definition of bicoastal disorder for a while. My own definition arose from a couple of quick moves and trips between New York and San Francisco. However, it appears the idea’s been around the Internet for years; see this reference to a Wired writer using the phrase in 2000. To the best of my knowledge nobody’s tried to formalize this into a DSM disorder before. Recommendations of additional criteria welcome; actual inclusion of this definition into the DSM NOT recommended.

Diagnostic definition for Bicoastal Disorder:

A. In most weeks during the past year, four (or more) of the following symptoms were present during the first week after moving, begin to remit within a few days after the onset of travel, and were absent in the weeks before displacement:

(1) Disorientation; impaired ability to identify compass directions from where one stands; impaired ability to negotiate city streets despite intact motor function

Google Maps: walking directions from New York City to San Francisco.

Google Maps: walking directions from New York City to San Francisco.

(2) Failure to properly identify one’s current geographic location (example: “But here in New York, we — dammit, I’m in San Francisco…”)

(3) Repetitive, seemingly driven, and apparently purposeless motor behavior upon exiting a transit system (grabbing for transit card when not needed to exit; bumping into turnstile after failing to swipe card)

(4) Maladaptive use or disuse of automobiles as a means of getting from point A to point B (i.e. trying to drive in Manhattan; insisting on walking to a destination in Los Angeles; driving to get to a location one block away)
Continue Reading »

Educators’ Toolbox for Security Trainers

I’ve been attending trainings on using Tor, encryption, and other security/privacy tools lately, as OpenITP is exploring what we can do to help along these lines. From an educator’s standpoint, a lot of good work is being done already; trainings have a lot of hands-on components, are very responsive to student questions, and use good metaphors. But there’s always room for improvement. I wanted to share a few ways of thinking about training, from the toolbox I gained as a student at Teachers College, in hopes of starting a discussion about best practices in teaching digital security. Three tools for thinking about teaching come to mind: mental models, fragile knowledge, and “a time for telling.”

Mental Models: Find out what your learners know (or think they know)

So as I mentioned in my post about Tor and the recent Harvard bomb scare: In education, we talk about students’ “mental models,” meaning their understanding (however faulty it is) of how something works. In computing education, this encompasses quite a bit — models of a computer’s current state, of what computer language looks like, of the shape of a network, etc.

Mental models are important to reckon with. Learners are not blank slates. What they already know matters a lot to how they build new knowledge. A big challenge with mental models is that learners may come in to a lesson with a pre-existing mental model of the domain, and that model may be incomplete or incorrect. Learners may then build faulty mental models onto these bad foundations.1

Continue Reading »

Tor Holes: Learning how to teach Tor from the Harvard bomb threat

In education, we talk about the “mental models” students have of the subjects they are learning: the understanding they have of a system. In computing eduaction, this encompasses quite a bit — models of how a computer works, of its current state, of what computer language looks like, of the shape of a network, etc.

As it happens, the bomb threat sent in to Harvard recently presents us with an opportunity to think about one user’s mental model in comparison to the actual threat model — encompassing the school network, the people and agencies able to access its traffic logs, and the tools used by the person sending in the bomb threat.

From what we think we know about the story so far, the guy sending the threat took precautions which he thought would protect him. He used Guerilla Mail, a service which provides disposable one-time email addresses. And he used Tor, which disguises where the sender’s message is coming from.

Unfortunately for the guy sending the threat (and fortunately for the rest of us who aren’t fond either of bombs or of students who make unreasonable attempts to escape from final exams), the choices he made made him vulnerable to the one known attack against someone trying to hide using Tor: a timing attack. If you have 1) a record of who’s using Tor and when on your campus, 2) the information that a message got to your machine through Tor, 3) and the time stamp on the message sent, it becomes not too hard to tell from the timing which user sent that message. Most of the time Tor users are somewhat protected by the fact that the place they’re using the Internet from (the local Internet cafe, their own Internet service provider) and the place they’re sending a message to (I dunno, someone else’s Gmail account) are not under the control of the same people. When you put both together in the hands of the same Internet service provider, it gets much easier to figure out that the person with stuff going into Tor at time X is the same person whose stuff comes out of Tor a short time later.
Continue Reading »

Notes on Linux: Harry Potter and the System of Privilege

This is hopefully the last in a series of posts about my experiences diving deeper into Linux, the first ones being about Mac being too pretty, Linux being too buggy, and the learning curve being too steep.

As I was going around a few weeks back hyperbolically screaming that open source software was a tool of the patriarchy — I’d just hit the days when I was utterly dependent on co-workers to get my machine working — I heard the following back from an old friend who was, at one point, one of the most fervent open-source evangelists I knew:

Open source is triply a tool of the patriarchy because it multiplies the privilege of having assloads of time to screw around as a teenager.


image courtesy marzou2.centerblog.net. not actually representative of my friend, but you knew the Internet was bound to provide this image, mm?

This guy is not some hippie n00b who spends all his time on lost political causes. He works for one of the top five tech companies, contributes vital code to open projects, helms a massive distributed team of programmers, both thinks about and works on the big picture of networking. He sometimes describes himself as the Harry Potter of programming, as both his mom and dad were talented, highly visible wizards of programming. He was basically born with a silver chip in his mouth, or something.

This was a casual conversation, so both of us were painting in big, crude strokes. But I know what he was saying, and it bears unpacking:

We should, all of us, try to be conscious of the conditions in which we learned things. Many of us who got deep into computers did do it while we were teenagers and college students, and had tremendous amounts of access and time on our hands. Among the resources we had that we may have taken for granted:

Continue Reading »