Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Eadi - Computer security educational demo for high school students
1. Computer Security Educational Demo for High School Students
Erwin Adi, Bernadus Kevin Homer
School of Computer Science
BINUS INTERNATIONAL – BINUS BUSINESS SCHOOL
Jl. Hang Lekir 1 No 6, Kebayoran Baru, Jakarta 12120,Indonesia
Phone: +62 21 720-2222 ext.3141
eadi@binus.edu, k_blacklist_k@yahoo.com
Abstract
1. Introduction
The purpose of this thesis project is to build a set of
demonstrations to help high school students to The final year of high school is critical when it
understand which part of computer science they comes for its individual student to choose a subject of
interest. It can be shown that the student’s interest in study for their university call. It can be observed that
computer science field study is low; part of the reason no high-school student is certain of what subject of
is that computer sciences are too hard to understand. study one is going to pursue a degree in.
In academic environment, students seem hard to learn Computers are intimidating to the high-school
computer science materials. On the other side hackers students. In a study of surveying 26 high-school
have shown immense interests in studying computer students from several high schools in Jakarta (namely
more than anyone else. For example, hackers are Ipeka Puri, Penabur 4, Ketapang 2, Kalam Kudus
willing to spend much time to study even just a small Green Garden, Santo Andreas and Tiara Kasih
system error. The study shows that when students are Semanan), 37% are not interested in computers. Hence,
confronted with hacking tools such as debugger, their tendency of pursuing a university study in the
memory editor, packet sniffing, they would be more Computer Science is highly unlikely. It remained to be
willing to know how the system works. It is hoped that seen if the rest 63% of the respondents would enroll in
if someone knows how things work, it would give him Computer Science or other subject. The survey also
or her some creative ideas to develop program or found that 42% of the respondents do not refer to
further applications. “computer networking” when they were asked about
To demonstrate the hacking activities, the author the term “networking.” Finally, a worrying number of
used three demo materials: Chatting applications 69% are not interested about computer and networking.
using visual basic, game hacking through memory On the other hand, it can be observed that almost all
modifications, and web hacking through SQL participants during Computer Science info-sessions in
injection. While performing the demonstration, the Binus International are excited at computer security
writer explains the audience (the students) that this discussions. The thesis therefore is to verify that
demo follows ethical hacking rules. It explains that the demonstrations that have their root in computer
hacking shown are just for testing purpose without security would increase the likeliness of high-school
harming anyone’s system, and no real network or host students to enroll to the school of Computer Science.
is compromised. The result of the demo was collected
in form of a survey, and the correlation of each event 1.1. The Case of Simulation Software
is calculated. The study does not find any correlation
between a specific gender and how much he or she is There are many existing networking e-learning
interested in the demo. The study observes that web system, one of them is developed by Cisco. But base
hacking is the most attractive topic for the audience. A on an internal, unpublished study [1] the system is not
useful future work for the purpose of attracting high- suitable for high school student in Indonesia because
school students to continue a computer science study some of Indonesian students are not good at using
would want to emphasize more on the web hacking complicated simulation software for study. The
demo. problem arises because there the simulation software is
using a network e-learning system that requires a high
2. internet speed. The study [1] has shown that the In response to the open-ended questions, the
simulation software’s user interface is user friendly, students wrote 123 distinct comments. These were
and also fun to play. Therefore the reluctance of the collated and classified to identify trends and issues.
students interacting with the simulation software was With regard to the best aspect of the security protocol
not caused by the lack of user friendliness, but rather game, 44 responses were provided. The most common
the lack of good network connection. This has shown response, given by 15 students, related to learning and
that increasing awareness about how computer understanding security protocols or the attacks upon
networking works is a crucial education, rather than them. 7 students identified group interaction as the best
withdrawing useful and educative software just aspect of the game while 6 students focused on the
because of its slow response. It is hoped that students hands-on approach provided by the game. Many other
could participate to perform network diagnose and list responses were conventional ranging over aspects of
the problem. This study confirms that why students are the game such as its visual appeal, the fun or challenge
not keen to learning computer networking. Hence, the aspect, and the importance of security on the Internet.
thesis provides a solution to encourage students’ 37 responses were received concerning improvements
awareness to computer networking through a fun to the game. The dominant responses are search for
activity. improvement in the clarity and presentation of the rules
(11 students). This area was also identified for
1.2. The Case of a Security Protocol Game development by the Like question responses. The
students gave specific suggestions for improvement.
We plan to work with a student focus group to develop
a rules document that is easier for the students to use.
Seven students requested solutions to the game –
specific strategies to break particular protocols. Such
solutions are provided to tutors but have not been
provided to the students. A student focus group could
be used to identify how much information to provide
so that students can explore attacks on the protocols
Encryption and decryption is some kind of hiding while still facing a suitable learning challenge.
the information we send and receive. This way of Seven students wanted more time devoted to the
teaching game is reminds of some part in Egypt at that game, expressing the desire to understand the more
age people who want to send a secret message need difficult concepts that the game supports. A further 7
find a way to make the message unreadable unless by students requested a computerized version of the game,
someone in the destination. They figure it out how to so that they could play it online. 2 students identified
do that by writing the message in a papyrus paper and problems they experienced with group interaction. For
twist it on the pole in order to read by destination the question asking the students to identify the most
people. When data is send to make harder to steal by important thing they learned from playing the game, 37
enemy they send it separately. This idea of the game is responses were received. The dominant response (12
quite fun to try in simulation base. Base on [2] research students) was that they learned that this idea is using
85% of students agreed or strongly agreed that the same idea: that it is a good game that helps students
game Showed them how significant it is to design understands the design and operation of protocols for
security protocols properly (average response 4.0). secure data communications. They have learned on
76% of the students agreed or strongly agreed that the how to encrypt and decrypt data.
game helped them recognize how security protocols
work (average response 3.9). 62% of students agreed 1.4. What We Have Learned
or strongly agreed that the game helped them
understand the lecture material (average response 3.6). Some kinds of teaching techniques are good for
61% agreed or strongly agreed that it helped them teaching security protocol, because they are fun and
recognize how to design a security protocol properly make students play without realizing that they are
(average response 3.6). 56% of students agreed or actually studying. The student could understand more
strongly agreed that the game helped them recognize about interface design and operation of protocols for
better how SSL works (average response 3.5). secures data communications. Besides that the game
also gives new experience in networking about
1.3. The Survey Result simulating complex protocol. It also has possible in
giving the idea to student about what computer
3. network really is and also give them more innovative A “Game Hacking” demo is developed based on the
idea ,when they use similar application like messenger. model from Dynamic Memory Address manipulation.
A freeware named wpe-pro is used to change the
2. Design of the Demonstration content of a private address by using another program
that points the same address through its public
To demonstrate the hacking activities, the author declaration.
used three demo materials: Chatting applications using A “Chat Manipulation” demo is developed based on
visual basic, game hacking through memory the man-in-the-middle attack model. We developed our
modifications, and web hacking through SQL own client and server that serves as a chat system. Due
injection. While performing the demonstration, the to the limitation of the hardware availability, the client
writer explains the audience (the students) that this and the server are located at one single laptop.
demo follows ethical hacking rules. It explains that the Although this is not ideal to demonstrate the man-in-
hacking shown are just for testing purpose without the-middle attack, the solution effectively shows the
harming anyone’s system, and no real network or host audience that no third party system is harmed during
is compromised. the hack.
A “Web-Hacking” demo is developed based on the
model from SQL injection attack. A web site is
developed using java servlet/jsp using a Tomcat server.
The database MySQL serves as the backend, which
interact with the servlet through a javabean. The design
follows the MVC architecture pictured below.
Man-in-the-middle Attack
3. Implementation and Result of the Demo
During the testing day, we asked the high-school
students based on questionnaire we designed. We
chose random students that come to see the demo. The
questionnaires are processed into pie charts to be easily
observed. Some of the result which relates to this
project will be discussed below.
MVC Architecture Assumption 1 was, “Hacking is the reason why high
school student interested in computer science field of
study.” We did not find that this is true. In fact, most of
the drive students choose a particular major was from
its peer or parents. On the other hand, most of the
reason students are curious about hacking tricks is to
be the big-kid in the online community who can tell
other’s lie. Particularly, they use internet for chatting
and getting into social relation website like Friendster
and facebook. Therefore most of them want to know if
their network relations are true identity or not.
Assumption 2 was, “The game hacking are more
interested from three kind of hacking.” The assumption
arose because it was assumed that the primary reason
hacking is interesting for students was to win most of
Winsock Packet Editor (WPE) Pro online games against their peers. The study found that
this is not true. Web hacking is the most interesting out
4. of any demo. When any student was being asked which male). To analyze the data, the positive answers are
demo he or she would like to see first, all of them ask given score 1, while negative answers are scored 0.
to see a web-hacking demo. The following table summarizes the result.
When the audience were asked if they know any
hacking method beforehand, most of the respondents
said never. 35% of them perceive this hacking method Title (a) Attractiveness (b) Gender (c) CS Interested
have been written on the book, but never see real thing
Student 1 1 1 1
in the live, while 15% of the respondents are familiar
with the trick. Student 2 1 1 1
Student 3 0 1 1
Student 4 0 0 0
Student 5 0 1 0
Student 6 1 1 0
Student 7 0 1 0
Student 8 1 1 0
Student 9 0 0 0
Student 10 0 0 0
Student 11 0 0 0
Student 12 1 1 0
Share of Familiarity with the Demo Student 13 1 1 0
Student 14 0 1 0
The following figure depicts the degree of
attractiveness of each hacking trick. 50% of the Student 15 0 1 0
respondents answered they are interested in web Student 16 1 1 0
hacking (SQL injection), 18% of them showed they
Mean 0.4375 0.75 0.1875
interest in network hack (Sniffing Hack), and 32% of
them like the game hacking (Memory Hack). Standard 0.49608 0.43301 0.38122
Deviation
Correlations (a) With (b) = 0,5091
Correlations (a) With (c) = 0.2219
Correlations (b) With (c) = 0.27735
The readers can see in this data the numbers on
column two, three, four are the answers the writer got
from the survey. The writer needs to know the
correlation between these numbers. In getting the
correlation, we need to know what it means, which
explains why the procedure is not trivial.
Degree of Attractiveness
Mean is the sum of the entire list divided by the
4. Discussions number of items in the list.
4.1. Correlation M = (Sum of Data A) / (Numbers of Data A).
Although there were many audience for the demo,
we sample 16 of them for questioning. The data in After that we need to calculate the standard
question are which demo is attractive, if the students deviation which uses this formula:
are interested to go for computer science study after
viewing the demonstration, and if any of that have any
correlation with gender (since it has been known that
most of computer science classes are saturated with
5. This figure explains everything about the growth of
the audience population during demo, increasing each
time people gather. When we show the demo to the
high school students who just came into Binus open-
house, there were only get 2 people gathered in the
X represents all of the survey data from one table demo. The number of participants was increasing
for example people number 1-16 , M will be the mean roughly double every 5 minutes. After asking several
of that table, N is any number of data that we want to questions to student we discovered web hacking are
calculate, in this case 16. becoming more popular than the rest of hacking
technique. As we know that most of them are still
After that we also need Z Value from between 16-18 years, some of them love to play
messenger and society website like Friendster and
Z= (Data-Mean)/Standard Deviation facebook.
The second popular demo was the game hacking.
After that we will get correlation using this formula This is in line with the author’s experience observing
the audience of online games. The majority of the
online gamers were the high-school students, and they
Correlation(r) = NΣXY - (ΣX)(ΣY) / Sqrt ([NΣX2 -
tend to be willing to do any cheating method to win a
(ΣX)2][NΣY2 - (ΣY)2]) game. Hence memory hacking was ranked popular in
this demo, since the audience were thrilled looking at
From this calculation, we can compare the result how they can cheat by modifying the value.
between demo attractiveness (column a), gender Although the chatting hack was ranked last, the
(column b), and the students’ attitude to take computer demo can be assured interesting. It can be seen that
science for their further study after seeing the none of the audience balk until the whole
demonstration (column c). demonstration ended. This demonstration is very useful
Since the correlation coefficient shown above is far to act as a hook for learning computer networking.
from 1 or -1, the study does not find any significant Author names and affiliations are to be centered
correlation between gender and how much they are beneath the title and printed in Times 12-point, non-
interested in the demo. The study also does not find boldface type. Multiple authors may be shown in a
any correlation between gender and their choice of two- or three-column format, with their affiliations
academic interest in computer science. Similarly, the italicized and centered below their respective names.
study does not find any correlation between the Include e-mail addresses if possible. Author
attractiveness of the demo, and the student’s attitude to information should be followed by two 12-point blank
go for computer science as their further education, after lines.
seeing the demo.
However it can be observed from the interview that 5. Conclusion and Recommendation
web hacking is the most topic that attracted the
audience. Therefore a useful future work would want
5.1 Conclusion
to emphasize more on the web hacking.
This thesis is a research project about how current
applications can be used to attract some audience to
4.2. Population Growth
increase their motivation in studying computer science.
It can be seen that the difficult part of study can be
demonstrated through some other ways that are
addictive.
The application memory-hacking enables the
students to see the clear picture about how programs
are run and loaded through the RAM and can be
modified through a debugger. This demonstration gives
a basic knowledge about address, pointer, private
address, public address that are normally hard to
swallow. The future work from then is to encourage
the student to learn a more difficult, lower level
Population of the Demo as a Function of Time machine language like assembly. Modifying address
6. could also bring us into assembly syntax to freeze environment demanded him to finally learn some
called nop (no operation) in assembly. European languages (with some efforts).
As broadly discussed in the problem analysis and He joined his family business in Indonesia for a
evaluation section above, the chatting hack and couple of years and was responsible for marketing
sniffing program helps motivate the students learn activities, while at the same time acted as the internal
computer networking. network and IT manager. His passion in computing
The web hacking, being the most popular demo that technology brought him to join Binus University where
the study witness, is the mutual hook for the students to he teaches, trains, and researches the network and
learn about web programming. Learning server-side security topics.
web programming is not a trivial course since the Bernadus Kevin Homer was a student in Binus
student must understand about object technology, International, school of Computer Science. He
computer communication through request and developed most of the technical preparations needed
response, database skill, and structured programming for the demo discussed in this paper.
like HTML. The web hacking demo through the SQL
injection has shown to initiate the students curiosity,
while enables the instructor to explain the technology
behind it.
5.2. Recommendation
This project is not closed to further development.
Many features are still applicable to this hacking in
order to create the good security program. Some
feature that can be implemented for future works are
Cross Site Scripting(XSS), Cookies and Session
hijacking, PHP injection, Rapidshare and mega-upload
cookies manipulation.
6. References
[1] Michael Loistianto and Jan Sebastian Vigar, Network E-
Learning, Binus International, 2008.
[2] Leonard G. C. Hamey, Department of Computing,
Macquarie University
7. About the Authors
Erwin Adi has a Master degree in
Telecommunications from University of Strathclyde,
Glasgow, UK. His Bachelor degree was in Computer
Science and Applied Mathematics/Statistics from State
University of New York at Stony Brook, USA.
He has about 12 years of experience in computing
technology. Early career includes being a Network
Engineer in Belgium with KPNQwest—the most
extensive IP coverage network at the time, and then in
British Telecom. During the time he had gained
experience in handling hands-on fiber network on the
field, controlling European-wide network from the
central operation under a wide range of platform,
troubleshooting IP-related problems, and mitigating
high-impact network failures. The complexity of the