You are on page 1of 6

Computer Security Educational Demo for High School Students

Erwin Adi, Bernadus Kevin Homer School of Computer Science BINUS INTERNATIONAL BINUS BUSINESS SCHOOL Jl. Hang Lekir 1 No 6, Kebayoran Baru, Jakarta 12120,Indonesia Phone: +62 21 720-2222 ext.3141 eadi@binus.edu, k_blacklist_k@yahoo.com Abstract
The purpose of this thesis project is to build a set of demonstrations to help high school students to understand which part of computer science they interest. It can be shown that the students interest in computer science field study is low; part of the reason is that computer sciences are too hard to understand. In academic environment, students seem hard to learn computer science materials. On the other side hackers have shown immense interests in studying computer more than anyone else. For example, hackers are willing to spend much time to study even just a small system error. The study shows that when students are confronted with hacking tools such as debugger, memory editor, packet sniffing, they would be more willing to know how the system works. It is hoped that if someone knows how things work, it would give him or her some creative ideas to develop program or further applications. To demonstrate the hacking activities, the author used three demo materials: Chatting applications using visual basic, game hacking through memory modifications, and web hacking through SQL injection. While performing the demonstration, the writer explains the audience (the students) that this demo follows ethical hacking rules. It explains that the hacking shown are just for testing purpose without harming anyones system, and no real network or host is compromised. The result of the demo was collected in form of a survey, and the correlation of each event is calculated. The study does not find any correlation between a specific gender and how much he or she is interested in the demo. The study observes that web hacking is the most attractive topic for the audience. A useful future work for the purpose of attracting highschool students to continue a computer science study would want to emphasize more on the web hacking demo.

1. Introduction
The final year of high school is critical when it comes for its individual student to choose a subject of study for their university call. It can be observed that no high-school student is certain of what subject of study one is going to pursue a degree in. Computers are intimidating to the high-school students. In a study of surveying 26 high-school students from several high schools in Jakarta (namely Ipeka Puri, Penabur 4, Ketapang 2, Kalam Kudus Green Garden, Santo Andreas and Tiara Kasih Semanan), 37% are not interested in computers. Hence, their tendency of pursuing a university study in the Computer Science is highly unlikely. It remained to be seen if the rest 63% of the respondents would enroll in Computer Science or other subject. The survey also found that 42% of the respondents do not refer to computer networking when they were asked about the term networking. Finally, a worrying number of 69% are not interested about computer and networking. On the other hand, it can be observed that almost all participants during Computer Science info-sessions in Binus International are excited at computer security discussions. The thesis therefore is to verify that demonstrations that have their root in computer security would increase the likeliness of high-school students to enroll to the school of Computer Science.

1.1. The Case of Simulation Software


There are many existing networking e-learning system, one of them is developed by Cisco. But base on an internal, unpublished study [1] the system is not suitable for high school student in Indonesia because some of Indonesian students are not good at using complicated simulation software for study. The problem arises because there the simulation software is using a network e-learning system that requires a high

internet speed. The study [1] has shown that the simulation softwares user interface is user friendly, and also fun to play. Therefore the reluctance of the students interacting with the simulation software was not caused by the lack of user friendliness, but rather the lack of good network connection. This has shown that increasing awareness about how computer networking works is a crucial education, rather than withdrawing useful and educative software just because of its slow response. It is hoped that students could participate to perform network diagnose and list the problem. This study confirms that why students are not keen to learning computer networking. Hence, the thesis provides a solution to encourage students awareness to computer networking through a fun activity.

1.2. The Case of a Security Protocol Game

Encryption and decryption is some kind of hiding the information we send and receive. This way of teaching game is reminds of some part in Egypt at that age people who want to send a secret message need find a way to make the message unreadable unless by someone in the destination. They figure it out how to do that by writing the message in a papyrus paper and twist it on the pole in order to read by destination people. When data is send to make harder to steal by enemy they send it separately. This idea of the game is quite fun to try in simulation base. Base on [2] research 85% of students agreed or strongly agreed that the game Showed them how significant it is to design security protocols properly (average response 4.0). 76% of the students agreed or strongly agreed that the game helped them recognize how security protocols work (average response 3.9). 62% of students agreed or strongly agreed that the game helped them understand the lecture material (average response 3.6). 61% agreed or strongly agreed that it helped them recognize how to design a security protocol properly (average response 3.6). 56% of students agreed or strongly agreed that the game helped them recognize better how SSL works (average response 3.5).

In response to the open-ended questions, the students wrote 123 distinct comments. These were collated and classified to identify trends and issues. With regard to the best aspect of the security protocol game, 44 responses were provided. The most common response, given by 15 students, related to learning and understanding security protocols or the attacks upon them. 7 students identified group interaction as the best aspect of the game while 6 students focused on the hands-on approach provided by the game. Many other responses were conventional ranging over aspects of the game such as its visual appeal, the fun or challenge aspect, and the importance of security on the Internet. 37 responses were received concerning improvements to the game. The dominant responses are search for improvement in the clarity and presentation of the rules (11 students). This area was also identified for development by the Like question responses. The students gave specific suggestions for improvement. We plan to work with a student focus group to develop a rules document that is easier for the students to use. Seven students requested solutions to the game specific strategies to break particular protocols. Such solutions are provided to tutors but have not been provided to the students. A student focus group could be used to identify how much information to provide so that students can explore attacks on the protocols while still facing a suitable learning challenge. Seven students wanted more time devoted to the game, expressing the desire to understand the more difficult concepts that the game supports. A further 7 students requested a computerized version of the game, so that they could play it online. 2 students identified problems they experienced with group interaction. For the question asking the students to identify the most important thing they learned from playing the game, 37 responses were received. The dominant response (12 students) was that they learned that this idea is using same idea: that it is a good game that helps students understands the design and operation of protocols for secure data communications. They have learned on how to encrypt and decrypt data.

1.4. What We Have Learned


Some kinds of teaching techniques are good for teaching security protocol, because they are fun and make students play without realizing that they are actually studying. The student could understand more about interface design and operation of protocols for secures data communications. Besides that the game also gives new experience in networking about simulating complex protocol. It also has possible in giving the idea to student about what computer

1.3. The Survey Result

network really is and also give them more innovative idea ,when they use similar application like messenger.

2. Design of the Demonstration


To demonstrate the hacking activities, the author used three demo materials: Chatting applications using visual basic, game hacking through memory modifications, and web hacking through SQL injection. While performing the demonstration, the writer explains the audience (the students) that this demo follows ethical hacking rules. It explains that the hacking shown are just for testing purpose without harming anyones system, and no real network or host is compromised. A Web-Hacking demo is developed based on the model from SQL injection attack. A web site is developed using java servlet/jsp using a Tomcat server. The database MySQL serves as the backend, which interact with the servlet through a javabean. The design follows the MVC architecture pictured below.

A Game Hacking demo is developed based on the model from Dynamic Memory Address manipulation. A freeware named wpe-pro is used to change the content of a private address by using another program that points the same address through its public declaration. A Chat Manipulation demo is developed based on the man-in-the-middle attack model. We developed our own client and server that serves as a chat system. Due to the limitation of the hardware availability, the client and the server are located at one single laptop. Although this is not ideal to demonstrate the man-inthe-middle attack, the solution effectively shows the audience that no third party system is harmed during the hack.

Man-in-the-middle Attack

3. Implementation and Result of the Demo


During the testing day, we asked the high-school students based on questionnaire we designed. We chose random students that come to see the demo. The questionnaires are processed into pie charts to be easily observed. Some of the result which relates to this project will be discussed below. Assumption 1 was, Hacking is the reason why high school student interested in computer science field of study. We did not find that this is true. In fact, most of the drive students choose a particular major was from its peer or parents. On the other hand, most of the reason students are curious about hacking tricks is to be the big-kid in the online community who can tell others lie. Particularly, they use internet for chatting and getting into social relation website like Friendster and facebook. Therefore most of them want to know if their network relations are true identity or not. Assumption 2 was, The game hacking are more interested from three kind of hacking. The assumption arose because it was assumed that the primary reason hacking is interesting for students was to win most of online games against their peers. The study found that this is not true. Web hacking is the most interesting out

MVC Architecture

Winsock Packet Editor (WPE) Pro

of any demo. When any student was being asked which demo he or she would like to see first, all of them ask to see a web-hacking demo. When the audience were asked if they know any hacking method beforehand, most of the respondents said never. 35% of them perceive this hacking method have been written on the book, but never see real thing in the live, while 15% of the respondents are familiar with the trick.

male). To analyze the data, the positive answers are given score 1, while negative answers are scored 0. The following table summarizes the result.

Title Student 1 Student 2 Student 3 Student 4 Student 5 Student 6 Student 7 Student 8 Student 9 Student 10 Student 11 Student 12

(a) Attractiveness (b) Gender (c) CS Interested 1 1 0 0 0 1 0 1 0 0 0 1 1 0 0 1 0.4375 0.49608 1 1 1 0 1 1 1 1 0 0 0 1 1 1 1 1 0.75 0.43301 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1875 0.38122

Share of Familiarity with the Demo

Student 13 Student 14 Student 15 Student 16 Mean Standard Deviation

The following figure depicts the degree of attractiveness of each hacking trick. 50% of the respondents answered they are interested in web hacking (SQL injection), 18% of them showed they interest in network hack (Sniffing Hack), and 32% of them like the game hacking (Memory Hack).

Correlations (a) With (b) = 0,5091 Correlations (a) With (c) = 0.2219 Correlations (b) With (c) = 0.27735 The readers can see in this data the numbers on column two, three, four are the answers the writer got from the survey. The writer needs to know the correlation between these numbers. In getting the correlation, we need to know what it means, which explains why the procedure is not trivial.
Degree of Attractiveness

4. Discussions
4.1. Correlation Although there were many audience for the demo, we sample 16 of them for questioning. The data in question are which demo is attractive, if the students are interested to go for computer science study after viewing the demonstration, and if any of that have any correlation with gender (since it has been known that most of computer science classes are saturated with

Mean is the sum of the entire list divided by the number of items in the list. M = (Sum of Data A) / (Numbers of Data A). After that we need to calculate the standard deviation which uses this formula:

X represents all of the survey data from one table for example people number 1-16 , M will be the mean of that table, N is any number of data that we want to calculate, in this case 16. After that we also need Z Value from Z= (Data-Mean)/Standard Deviation After that we will get correlation using this formula Correlation(r) = NXY - (X)(Y) / Sqrt ([NX2 (X)2][NY2 - (Y)2]) From this calculation, we can compare the result between demo attractiveness (column a), gender (column b), and the students attitude to take computer science for their further study after seeing the demonstration (column c). Since the correlation coefficient shown above is far from 1 or -1, the study does not find any significant correlation between gender and how much they are interested in the demo. The study also does not find any correlation between gender and their choice of academic interest in computer science. Similarly, the study does not find any correlation between the attractiveness of the demo, and the students attitude to go for computer science as their further education, after seeing the demo. However it can be observed from the interview that web hacking is the most topic that attracted the audience. Therefore a useful future work would want to emphasize more on the web hacking. 4.2. Population Growth

This figure explains everything about the growth of the audience population during demo, increasing each time people gather. When we show the demo to the high school students who just came into Binus openhouse, there were only get 2 people gathered in the demo. The number of participants was increasing roughly double every 5 minutes. After asking several questions to student we discovered web hacking are becoming more popular than the rest of hacking technique. As we know that most of them are still between 16-18 years, some of them love to play messenger and society website like Friendster and facebook. The second popular demo was the game hacking. This is in line with the authors experience observing the audience of online games. The majority of the online gamers were the high-school students, and they tend to be willing to do any cheating method to win a game. Hence memory hacking was ranked popular in this demo, since the audience were thrilled looking at how they can cheat by modifying the value. Although the chatting hack was ranked last, the demo can be assured interesting. It can be seen that none of the audience balk until the whole demonstration ended. This demonstration is very useful to act as a hook for learning computer networking. Author names and affiliations are to be centered beneath the title and printed in Times 12-point, nonboldface type. Multiple authors may be shown in a two- or three-column format, with their affiliations italicized and centered below their respective names. Include e-mail addresses if possible. Author information should be followed by two 12-point blank lines.

5. Conclusion and Recommendation


5.1 Conclusion This thesis is a research project about how current applications can be used to attract some audience to increase their motivation in studying computer science. It can be seen that the difficult part of study can be demonstrated through some other ways that are addictive. The application memory-hacking enables the students to see the clear picture about how programs are run and loaded through the RAM and can be modified through a debugger. This demonstration gives a basic knowledge about address, pointer, private address, public address that are normally hard to swallow. The future work from then is to encourage the student to learn a more difficult, lower level machine language like assembly. Modifying address

Population of the Demo as a Function of Time

could also bring us into assembly syntax to freeze called nop (no operation) in assembly. As broadly discussed in the problem analysis and evaluation section above, the chatting hack and sniffing program helps motivate the students learn computer networking. The web hacking, being the most popular demo that the study witness, is the mutual hook for the students to learn about web programming. Learning server-side web programming is not a trivial course since the student must understand about object technology, computer communication through request and response, database skill, and structured programming like HTML. The web hacking demo through the SQL injection has shown to initiate the students curiosity, while enables the instructor to explain the technology behind it. 5.2. Recommendation This project is not closed to further development. Many features are still applicable to this hacking in order to create the good security program. Some feature that can be implemented for future works are Cross Site Scripting(XSS), Cookies and Session hijacking, PHP injection, Rapidshare and mega-upload cookies manipulation.

environment demanded him to finally learn some European languages (with some efforts). He joined his family business in Indonesia for a couple of years and was responsible for marketing activities, while at the same time acted as the internal network and IT manager. His passion in computing technology brought him to join Binus University where he teaches, trains, and researches the network and security topics. Bernadus Kevin Homer was a student in Binus International, school of Computer Science. He developed most of the technical preparations needed for the demo discussed in this paper.

6. References
[1] Michael Loistianto and Jan Sebastian Vigar, Network ELearning, Binus International, 2008. [2] Leonard G. C. Hamey, Department of Computing, Macquarie University

7. About the Authors


Erwin Adi has a Master degree in Telecommunications from University of Strathclyde, Glasgow, UK. His Bachelor degree was in Computer Science and Applied Mathematics/Statistics from State University of New York at Stony Brook, USA. He has about 12 years of experience in computing technology. Early career includes being a Network Engineer in Belgium with KPNQwestthe most extensive IP coverage network at the time, and then in British Telecom. During the time he had gained experience in handling hands-on fiber network on the field, controlling European-wide network from the central operation under a wide range of platform, troubleshooting IP-related problems, and mitigating high-impact network failures. The complexity of the

You might also like