Embracing the Kobayashi Maru Why You Should Teach Your Students to Cheat

Education Editor: Cynthia Irvine, [email protected]

dversaries cheat. The good guys don’t. In aca- little advance warning about the exam, and insurrection imme- demic institutions around the world, students diately followed. Why were we giving them such an unfair test? understand that they’ll be expelled if they vi- What conceivable purpose would it serve? Now that we had their at- olate their college’s honor code or otherwise tention, we informed the class that we didn’t expect students to actu- Afail to play by institutional rules. But the dissonance between ally memorize the digits of pi, but that we did expect them to cheat. Gregory how our adversaries operate and nario—attempt to rescue the crew How they chose to cheat was en- Conti how we teach our students puts our of a disabled civilian vessel and be tirely up to them. Collaborative US Military students at a distinct disadvantage destroyed in the process, or avoid cheating was also encouraged, but Academy when faced with real-world op- confrontation and leave the dis- everyone involved would fail the ponents who inevitably don’t play abled ship and its crew to be cap- exam if caught. To provide an ad- James by the rules. Breaking through the tured or killed. Famously, Captain ditional incentive, we offered a Caroland paradigm where students self-cen- Kirk beat the scenario, and this is prize to the student who exhib- US Cyber sor their ways of thinking to a new important, by stepping outside the ited the most creative and effective Command archetype that cultivates an effec- game and altering its rules to his cheating technique. tive adversarial mindset is both benefit. By deciding to cheat and necessary and possible. alter the program driving the exer- The Techniques An adversary examines sys- cise, he won the contest. Of the 20 students in the course, tems and finds weaknesses in trust Lest there be any misunder- none were caught, and all of them relationships, human behavior, standing, our purpose here is not used diverse approaches. One stu- communications protocols, physi- to encourage or teach students to dent used his Mandarin Chinese cal security, and system logic to cheat in general, but to have them skills to hide the answers. Another find exploitable vulnerabilities. By learn to think creatively when built a small PowerPoint presenta- anticipating such actions and reac- considering adversary behavior. tion consisting of three slides (an tions, ethical actors are far better all-black slide, a digits of pi slide, prepared to build secure systems The Challenge and another all-black slide), the and perform both defensive and Our variation of the Kobayashi idea being that he could flip to offensive activities successfully. Maru utilized a deliberately unfair the answer slide when the proc- For both the attacker and the de- exam—write the first 100 digits tor wasn’t looking and easily flip fender, a devious mind is equally of pi (3.14159...) from memory— forward or back to a black slide as important as a beautiful one. and was part of the pilot offering after peeking. Several students This article describes our expe- of a governmental cyber warfare hid answers on slips of paper un- riences in helping students develop course. The topic of the test itself der the keyboards on their desks. an adversary mindset by adopt- was somewhat arbitrary; we just One hand-wrote the answer on a ing the Kobayashi Maru training needed a scenario that would be blank sheet of paper (in advance) exercise employed in the fictional too challenging to meet through and simply turned it in, exploiting Star Trek universe. In this exercise, traditional studying. the fact that we didn’t pass out a Starfleet cadets face a no-win sce- By design, we gave the students formal exam sheet. Another just

memorized the first 10 digits of pi and randomly filled in the rest, as- suming the instructors would be too lazy to check every digit. His assumption was correct. The finalists were particularly innovative. The runner-up used two different techniques, a primary and a backup. In his first approach, he remade his desktop nameplate to look legitimate, but the side fac- ing him included the answer in fine print. For his backup plan, he (a) (b) put the answer on a soda can that he concealed with his hand when the proctor walked by (see Figure Figure 1. Examples of student cheats. (a) False book cover containing the answer, and (b) a soda 1b). The winner created a false can with an answer sheet that could be concealed when the test proctor was nearby. book cover for a course text and re- placed portions of the text with the answer, matching text color, font, Because students were seated side common skill to become a formi- and size (see Figure 1a). He then by side and partially hidden be- dable adversary. used hair spray to lightly tack the hind monitors, some used these false page into place. The result was characteristics to further facilitate Being Human all but indistinguishable from the their cheating activities. Because we’re lazy, trusting, and original book. predictable, humans are often the Trust weakest link in any security sys- Learning Security Explicit or implicit trust models are tem, and the students intuitively Principles from the exploitable opportunities. Despite exploited this fact. One student Cheaters our awareness that the students observed that we rarely handed out We learned much from the stu- were cheating, we still inadver- worksheets and frequently asked dents during the course of this tently let our guard down. For ex- students to provide their own pa- exercise. They embraced the test, ample, we wouldn’t have stopped per. This provided a security gap proved far more devious than their a student from using the restroom where they could sneak in an al- day-to-day personas let on, and during the exam. During our ready completed exam and turn impressed us with their ability to group discussion, students suggest- it in. Another student suggested analyze and defeat the inherently ed that going to the bathroom to instructor predictability and mis- flawed classroom system. We drew cheat would have been an easy-to- placed trust as a potential attack the following conclusions from implement approach. It’s because of vector. Because we frequently took observing the techniques the stu- our inherent and unconscious trust extra paper from the printer tray dents used and through an inter- that we leave ourselves open to to provide to the class, the student active group discussion in which exploitation in the physical world said he would pre-position answer they described their cheating, what and online. As security profession- keys in the printer and then ask they learned, and other techniques als, we must learn to think like the us for a sheet of paper. We would they might employ in the future. jaded police officer or prison guard then hand them the answers with- who never takes statements and ac- out knowing it, despite coming The Environment tions at face value. from a “trusted” source. Students instinctively analyzed their environment and found Personal Skillsets Backup Plans weaknesses they could use to their Each student possessed diverse Adversaries rarely seek to accom- advantage. For example, both the skills that he or she could apply to plish their objectives through a presence of computers and the fact the challenge of cheating. Adver- single, all-or-nothing plan. Sev- that they didn’t have to clear their saries do the same. For example, eral students demonstrated this desktops during the exam provid- the student who used Mandarin principle by developing backup ed ample opportunity to use their Chinese to write the answer and plans in case their primary cheat- environment to help them cheat. place it in plain sight used his un- ing tactic was compromised.

www.computer.org/security 73 Education

Tips for Teaching Your tors in considering more com- versary might use social engineer- Students to Cheat prehensive approaches. ing attacks to compromise humans The key to teaching students to Early in the course, we in- and human-centric security sys- cheat is to provide context. Ex- cluded the Hackers Are People, Too tems (www.defcon.org/html/ plain to them the objectives of the documentary (Managed Mischief, links/dc-archives/dc-15-archive. exercise, which are to learn how an 2008) to help students under- html). In the future, we plan to adversary thinks and operates by stand the hacker mindset, which is add a phishing email writing con- deliberately loosening traditional sometimes playful and sometimes test to give students a hands-on rules and tapping personal creativ- adversarial. We also included a exploration of social engineering. ity. While we advocate teaching “divergence” exercise inspired by Weekly throughout the course, students to cheat, instructors must hacker Dan Kaminsky, who posed students read books to explore still provide clear boundaries, lest the question in the documen- various aspects of the adversary there be misunderstandings. In tary, “What are the alternative mindset, including Ender’s Game our case, we made it clear that we uses of a fork?” This seemingly by Orson Scott Card, which illus- expected students to cheat and simple question contains signifi- trated the need to adapt to intelli- that getting caught would result in cant depth. Students frequently gent adversaries; Little Brother X by a failing grade, but that this excep- encounter “convergence” ques- Cory Doctorow, to teach students tion to traditional rules of behav- tions that seek only a single cor- the importance of electronic civil ior only extended to this exercise rect answer. Divergence questions, liberties and the potential for an and not to other graded events in on the other hand, are open ended adversarial relationship between a the course. and compel students to creatively government and its citizens; and We deliberately provided consider a broad range of answers. Fatal System Error by Joseph Menn, minimal warning for the exer- We chose this exercise to warm to examine the real-world actions cise to increase stress levels and students up to new ways of think- and reactions between network material that couldn’t be read- ing about problem solving. defenders and online criminals. ily learned through traditional Early in the course, we held a studying. During the exam, we lock-picking lab and taught stu- sought to further increase the dents how to pick small padlocks. each yourself and your stu- stress and realism by walking oc- The point here, in addition to be- T dents to cheat. We’ve always casionally among the student ing a fun, hands-on exercise, was been taught to color inside the desks. We didn’t try all that hard to challenge students’ assumptions lines, stick to the rules, and never to catch students, but that wasn’t about physical security and derive ever cheat, but in seeking cyberse- the point. We sought merely to commonalities between system curity, we must drop that mindset. increase pressure by acting as re- security and approaches to under- It’s difficult to defeat a creative and alistic exam proctors. We consid- standing and defeating locks. determined adversary who must ered but chose not to go as far as Our course also included Joe find only a single flaw among forcing students into a position Grand, Jake Appelbaum, and myriad defensive measures to be where they must cheat on their Chris Tarnovsky’s case study of successful. We must not tie our own initiative without being told insecurities in the San Francisco hands—and our intellects—at the to do so. We believed this would parking meter system, which same time. If we truly wish to cre- place students into an unfair ethi- taught students how an adversary ate the best possible information cal dilemma, send the wrong mes- might attack critical infrastructure security professionals, being able sage, and most, if not all, students (https://www.defcon.org/html/ to think like an adversary is an would simply fail the exam rather links/dc-archives/dc-17-archive. essential skill. Cheating exercises than cheat illicitly. html). For future work, we’re provide long-term remembrance, considering including a hands- teach students how to effectively Toward a Larger on hardware hacking exercise to evaluate a system, and motivate Mindset Curriculum teach students how an adversary them to think imaginatively. Our Kobayashi Maru exercise might develop or modify hard- Cheating will challenge students’ was part of a larger set of lessons ware by building a TV-B-Gone assumptions about security and designed to cultivate an adver- (www.ladyada.net/make/tvb- the trust models they envision. sary mindset. There isn’t space gone/) universal remote control. Some will find the process un- in this article to describe them in In addition, we included a comfortable. That’s okay, and by similar depth, but we offer here video by Johnny Long on no-tech design, for it’s only by learning the some highlights to assist educa- hacking to illustrate how an ad- thought processes of our adversar-

74 IEEE SECURITY & PRIVACY JULY/AUGUST 2011 Education

ies that we can hope to unleash the creative thinking needed to build the best secure systems, become effective at red teaming and penetration testing, defend against attacks, and conduct ethical hacking activities.

Acknowledgments We thank T.J. White and Peiter “Mudge” Zatko for their feedback and ideas in support of this work. The views in this article are the authors’ and don’t reflect the official policy or position of the United States Mili- tary Academy, the Department of the Army, the Department of the Navy, United States Cyber Command, the Department of Defense, or the United States Government.

Gregory Conti is an associate profes- sor in the US Military Academy’s De- partment of Electrical Engineering and Computer Science and is responsible for the academy’s information security education program. Contact him at [email protected].

James Caroland is a member of the US Cyber Command Commander’s Action Group and an adjunct associate profes- sor in University of Maryland University College’s Cybersecurity Program. Con- tact him at [email protected].

Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.