For his Master's thesis project, Parsons The New School for Design graduate Samuel Snider-Held created “MY V3RY FIRST CYB3R W4R KIT,” an instruction booklet that can teach anyone the basics of computer hacking. Although he has no plans to produce the kit (he couldn’t even get permission to conduct user testing at school), he says it demonstrates the changing nature of power in our increasingly connected world. He talked to Co.Labs about how he came up with the idea, and what a world where cyber war kits are commonplace might look like.
How did you come up with the idea for the Cyber War Kit?
After my first year [at Parsons], the story about Stuxnet was reported by the New York Times. That really got me into wanting to do a thesis project on cyber war and computer hacking. The project is me deciding that I wanted to go into a information security career, but also that in a design technology program. What can a design technology student say about cyber war? When I asked myself that question, the answer was: “Well, you could design it to be relatively easy and that non-technical users can participate in it.”
It feels very familiar to the “teach yourself how to code” websites, but it's obviously a kind of twisted version of that. Did that idea enter into it at all?
In the Design and Technology program, you get people from all sorts of backgrounds. I actually did have some programming background before I started there, but we have a lot of people who have no coding experience at all. There is an atmosphere around the school, but for me, I think that learning computer hacking or wanting to get into information security and computer hacking is a great way to learn all these sorts of technologies. Because you can go about it if you want to learn how to program to build database-driven websites, but you can also learn how to program by wanting to take them down or infiltrate them. One of the things about really expert level hackers is that they're able to do what they can do because they have knowledge that's at the same time as wide as it is deep. One thing that professional white hat hackers do is they spend their days reading technical manuals, because that's how they're going to learn new systems when they engage them.
This is the idea that it’s less about Codecademy and more about everyday people being able to engage in cyber-conflict tactics that we see all over the place. I want to stress that this not actually a product that I'm selling. I made single instantiation to prove that something like this could exist. That I could see a future where something like this does exist. Do you ever read Neal Stephenson books?
I read Cryptonomicon.
Snow Crash, another one, is one the very famous cyberpunk books. I always thought this project was right out of that universe, or something that you would see at the end of Wired or something like that where they have objects from the future. Some people have said that you classify it as a critical design project, but all the material in it is real. We did do user testing, too. I usually say that just barely isn't real.
That's a great way of putting it, and it’s another thing that I thought was really poignant and interesting is this idea that in the future something like this might exist. There’s this idea that everyone talks about: “Well, everybody should learn how to code.” But in a world where everybody knows how to code, it means far more people know how to hack as well, right?
I definitely believe both. I think people should learn how to code, but I also think people should learn to try to wrap their mind around information security, because that's something that normal people just really don't think about. For me, I wanted to get into this more as way of thinking. I mean it's a career, but it's more about a way of thinking.
And you think more people will start to think that way?
One of things about my project is you see all this stuff about cyberwars and computer hacking and the perception is that I, as a regular user, can't do these things. But in fact, these things can be designed so you can use it and not have to understand it. One of the goals for my project was to design instructions so that people could literally copy and paste lines of code into a terminal and at the end of it, they pretty much would have hacked into somebody's social media account or something like that.
There are a lot of pages on the Internet about how to do this. My kit teaches you how to be a script kiddie, which is the lowest form of a hacker, people will say. A large part of the security community will say that script kiddies are dangerous, but not as dangerous as something like advanced persistent threat like the types of Chinese hackers that were in the Washington Post and The New York Times for eight months.
I would say that makes sense, but they're thinking from Western, mainly an American, point of view. My kit is based on the tactics of the Syrian Electronic Army, who use the simplest hacking techniques like phishing and using software that they don't write, stealing off the Internet to spy on journalists.
Imagine if we had the McCarthy era right now. People could go on the Internet and figure out how to download spyware into their neighbor's computer, and then you start realizing how frightful script kiddies can be.
What’s your perception of the state of information security right now, especially among developers? As a developer, I read about things and have a degree of familiarity with attacks like cross-site scripting and SQL injection, but I wouldn’t trust myself to design a secure system. I have to rely on other people’s libraries.
I think it's something that's just not going to go away because we have all these software systems that are so big and take so many developers to create that it's really hard to find something that is completely secure. Most opinions that you would get from asking experts is that there's really no such thing as a completely secure system.
They always talk about how it's an uphill battle because it takes teams of people to create the software and teams of people to test it, but it only takes one person to find the exploit or zero-day exploit and put down the Internet. One of things I say when people ask me about cyber conflict and whether or not I think it's a good thing or bad thing is that it just is and you shouldn't be thinking about it in those terms. You need to think about it as trying to understand it, and trying to understand how these things happen and how you as an individual are susceptible to these types of attacks.
The types of attacks that you were talking about are all web-based attacks, right? That's a huge problem because of our reliance on social networking and the blogosphere and stuff like that. We interact with so many more platforms today. Anytime you sign up for a new site, it means you made your attack surface one percent larger. All it takes is one flaw on one of those sites to basically get into your computer.
[Image: Flickr user Mikael Tigerström]