Scott Shapiro teaches at Yale Law School, which is bad enough, but what he teaches is even more concerning.
For the past four years, I have taught a cybersecurity class at Yale Law School in which I show my students how to break into computers. Having grown up with a user-friendly web, my students generally have no real idea how the internet or computers work. They are surprised to find how easily they learn to hack and how much they enjoy it. (I do, too, and I didn’t hack a computer until I was 52.) By the end of the semester, they are cracking passwords, cloning websites and crashing servers.
It’s one thing to come upon hacking (the computer kind, not the MIT kind) of your own accord. It’s another to tell people who would otherwise manage to live their lives using Windows how to do so. Why?
Why do I teach idealistic young people how to lead a life of cybercrime? Many of my students will pursue careers in government or with law firms whose clients include major technology companies. I want these budding lawyers to understand their clients’ issues. But my larger aim is to put technical expertise in its place: I want my students to realize that technology alone is not enough to solve the problems we face.
It’s true that some Yale law students end up in government. Historically, quite a few went to work for the government to bide their time until a federal judgeship or corner biglaw office opened up. But these days, they also march, shout down speakers with whom they disagree and, maybe, throw Molotov cocktails into police cars. There are some Yale law students, perhaps many or even most, who believe their “cause” is more righteous than the law. Indeed, this is exacerbated by their being taught that the law is a sham as reflected by our illegitimate Supreme Court of partisan hacks.
The good news is that there are promising ways to tackle the human dimensions of the problem — that is, the social, economic and psychological aspects. The bad news is that we have largely failed to pursue them.
While he didn’t quite mean it this way, it nonetheless remains true that these students are seeing the utility of hacking in social, economic and psychological aspects. Shapiro is referring to students appreciating that the technical ability to hack is only one dimension of the problem. What of students appreciating that if black hat hackers can do it for bad purposes, why can’t white hat hackers, meaning them because of course they’re the good guys in their own story, do it for their righteous purposes?
Shapiro goes on reciting a variety of good purposes and reasons for his course, such that future lawyers can address the threats of hacking in an effective and comprehensive way. Fair enough. But it assumes that their interest in the subject aligns with Shapiro’s rather than the hackers.
We can also help hackers themselves. Hackers are often thought of as brilliant disaffected young men who live in their parents’ basements and wreak havoc for the sheer fun of it. The truth is more familiar. Cybercriminals are, by and large, out to make a living — often in the absence of legitimate ways to use their skills.
Whether that’s true isn’t clear, as this wasn’t a law review article and Shapiro dropped no footnote. But need the lesson be that Yale (or any law school) law students will grow into lawyers dedicated to thwarting the nightmare of hacking, or that Yale law students will grow into lawyers who have learned a trade that can be used for the cause?
Shapiro, obviously, has faith in Yale law students being taught, and possessing, the skills to crack passwords, clone websites and crash servers. Do you? Will this further these inchoate senators to enact laws that effectively address hacking or will this enable them to bring down any person or entity that fails to align with their ideology?
*Tuesday Talk rules apply.
Discover more from Simple Justice
Subscribe to get the latest posts sent to your email.
Teaching a course on how to hack computers is no more teaching someone to ‘lead a life of cybercrime’ than teaching a locksmith their trade. Also, after one cybersecurity class, even at Yale Law School, one might think twice before believing they’ve developed a comprehensive understanding of anything more useful than, perhaps, how to protect themselves from one day being embarrassed by an easily avoided penetration.
The trade of locksmithing is locksmithing. The trade of lawyering is not hacking. You really need to stop trying to come up with analogies. You really suck at it.
As for as whether Shapiro can actually teach his students to hack, he says he can and you have doubts. Well, that changes everything.
If society could not safely assume that a lawyer is no more likely to lead a life of crime because they know a little about how it’s done our dear host, and every seasoned CDL, would be under constant suspicion instead of being the respected pillar of society we know him to be.
I realize the point here is to score points on Yale baby lawyers because a couple of them threw fire bombs, but the conversation would be much more interesting if it addressed their ethical training instead of whether or not they should be taught what any click kiddie can get from 4chan with 20 minutes of curiosity and a propensity to do wrong.
“…because a couple of them threw fire bombs”? Oh, Jake.
I’ve worked in the legal field for a couple decades. When I started, it was “hurry up so we can run down to court before midnight”. Now, more often than not, it’s “hurry and get that pdf properly formatted so we can submit it on CM/ECF before midnight.
Hacking & removable media have led to disastrous results for some firms.
Last week, I had to get 4 different levels of permission to put a sealed document on a CD for sealed records at SDNY (required by court rules).
These rules were put in place as a reasonable response to prohibit work product from going on removable media.
Hacking can thwart each of these rules. But one needs to know how break-ins can happen before they can be prevented and not all of these inchoate future senators will be able to have an IT team at the ready.
Letting them get an understanding of hacking in a legal world which is as much about 1s, 0s & cybersecurity as it used to be about quills, ink & safes seems very appropriate.
Most technology can be used for good or evil. The question is which will it be?
Do they need to learn how to actually hack to get a working understanding of how to protect documents? Why not teach the beneficial skills without giving them the means to blow up their enemies?
In my experience, it is nearly impossible to design any remotely secure software or technological process without taking time to “think like an attacker”. Ignoring everything you know about how a system is _intended_ to be used, what can that system be _made_ to do by some sequence of operations or inputs?
Cybersecurity courses go hands-on with attacks because there is no way to _generally_ defend against the potential for flaw. A reprogrammable computer is a machine that performs mathematical calculations at appalling speed on whatever input it is given. If it is given input that the person writing the program did not foresee, it will proceed to process that input to its conclusion, no matter how absurd. Programmers often foresee absurd inputs — at least, foresee them enough to make the program stop in its tracks with an error message to avoid doing anything dumber.
Infosec is partially rote — “best practices” of habit and design that tend to produce software that does not behave too wildly in response to weird input — but there are infinitely more ways to write an incorrect computer program than a program that behaves as intended. Thinking like an attacker means thinking about how a program could be misused or subverted, and then considering what prevents that misuse, and then actively looking for ways to subvert that. It doesn’t matter how good your encryption is if your program forgets to tell your database that under no circumstances should it interpret someone’s name as part of a program. https://xkcd.com/327/
So if students need to learn to think like an attacker, why not let them attack something? You can tell people to read textbooks about SQL injection attacks all day and then quiz them about it later, or you can run a badly-written program on a server set up just for the class and assign students to exploit it. It might be a little more attention-getting than the textbook! Easier to grade, too, since the professor or TA can just judge whether the attack worked rather than try to read a hastily handwritten description of how an attack _could_ work.
…so, Miles, I think I just said a lot of words for “Yes, they need to learn how to actually hack to get a working understanding of how to protect documents.” Is there any field of study where the gap between “knowing how to do something” and “being able to do that thing” is smaller than in computing?
Hard to imagine YLS picks only students who are so amazingly virtuous that 100% of them will defy human nature and resist the temptation to use a powerful tool for exclusively altruistic and legal purposes.
Money, information, influence, and correcting perceived injustice are all motivations I would place large bets on as the cause of future difficulties for these students. Question to me is when, not if.
Seems a silly question. If these kids are so ideologically driven that they can’t be trusted with what is probably script-kiddie-level hacking instruction, should we even be teaching them law? They could do far more damage with that than crashing a poorly-configured webserver for the local RNC office.
Is there utility in teaching law students about hacking? Maybe. Is it worthwhile to be mandatory? Probably not. Is it dangerous? Not particularly more than many other subjects that are routinely taught at colleges these days. I’m not sure what’s so special about lawyers that such information is intrinsically dangerous in their hands.
Thus far, it has not been a banner day for TT. Let me give it a go. Since many Yale law students have already demonstrated a propensity to be deeply involved in progressive causes, this gives rise to a concern about what they might do with a tool they really don’t need and could cause some, if not a lot, of damage. There is good reason to suspect that they might use this tool, in lieu of molotov cocktails, in pursuit of their goals.
I have no clue whether this course teaches them enough to do serious damage, but the students have given good reason to believe they might use it for evil. As for the comparison with being a lawyer, only a non-lawyer would say anything that dumb.
A friend of mine tells a story about busking in Boston, where he overheard a tourist approach a couple of guys from Southie and and ask them if one of them would say “Pahk the cah, in Hahvahd yahd”, so his girlfriend could hear a real Boston accent. One of them replied, “What ah ya, fuckin’ retahded?”.
Teaching hacking in law school is “fuckin’ retahded”. It make as much sense as teaching lock picking or cooking meth.
I feel stupider from reading the comments today…
Teaching computer hacking to college age kids. What could possibly go wrong with that? I was somehow under the impression that cloning websites and crashing servers is illegal. Did I miss something?
I do IT work for lawyers and the lack of technical knowledge among people who depend on technology is surprising. Teaching students how vulnerable they are to hacking and how to secure their systems and data is valuable. Whether they use it for good or evil is on them, just as the Lockpicking Lawyer uses his,skills to educate and entertain rather than to steal
While reading this post and its comments, I get the sense that some of the posters have a shallow grasp of hacking. At the risk of getting slapped down for this, I recommend Bruce Schneier’s latest book _A_Hacker’s_Mind_ (ISBN: 978-0-393-86666-7). An interesting book written by a researcher and expert in Computer Security.
TT rules allow it. Otherwise, it would have been trashed.
I am a long time reader who has never commented as I am not a lawyer. I am however a software engineer who understands these skills/tools, uses them professionally, and has been for > 10 years. I think most of the concern here is much ado about nothing, which I blame on the attention seeking headline and article. The class he is describing sounds like any run of the mill Cybersecurity 101 course taught in college for CS students.
Many commenters are off-base in that they seem to be shocked that a college course would be teaching “bad”/criminal skills. The locksmithing/picking analogy that is getting thrown around is appropriate. The goal is to learn about the inner workings of a system in order to understand it’s various failure modes and ways that they can be exploited. It’s not possible to only teach “good hacking”, defensive measures, etc., as the knowledge-base these skills come from is identical to that of more nefarious applications.
Our host understands this dialectic I believe, and instead asks a different question, which is can these young passionate ideologues be trusted with this knowledge, or will they be unable to resist temptation and abuse it? To this I would say, we should be no more concerned about this than with teaching them any other body of knowledge.
You could just as easily re-write this article about some professor putting law students through an intro level organic chemistry class complete with attention grabbing descriptions of filling balloons with hydrogen before detonating them or making elephants toothpaste; but I’m not going to be concerned about them going down to the hardware store to get supplies to make bombs or meth.
In either case, as a practical matter they won’t have the skills to do much of anything outside of the controlled environment of the classroom. And if we are concerned that the only thing that stands in the way of students abusing knowledge is merely not having it, that’s more of an argument to just shut down the whole program, in my mind. Though, the kids throwing molotovs certainly lend credence to that line of thinking.
I have plenty of skepticism about the added value of this class for law students, though I’m not a lawyer so what do I know. The whole article reads to me like any other “look how teaching lawyers to code is revolutionizing law” piece that some journalist might crap out in an afternoon.
I could rewrite your comment to, “I’m not a lawyer so what do I know” and improve it significantly. It might seem odd that you’d declare it out of the blue, but it’d still be better than making an even more terrible analogy than lockpicking. The facts that hacking is a crime and these are law students being taught to hack are very important, Ben, and you didn’t address them at all. I’m not asking you to.
Fair, my comment is too long so I’ll be more direct. The pearl clutching about students being “taught how to hack” are based on a faulty premise coming from a place of ignorance. The many strained analogies people are bumping their heads on are trying to point that out.
It’s also largely irrelevant to the questions posed in the TT, which was not about what they were being taught, but if they might use that for good or evil.
For evil? Again, no, they won’t come out of this class with the ability to do jack shit in the real world despite how much they might want to. For good? Would it inform their careers as real lawyers more than any other cross-discipline knowledge might in a way that makes it worth teaching? Doubtful, seems like a waste of time, but I don’t know. That would be a more constructive addition than the knee-jerk response about “OMG HACKING”.
Are you a lawyer? Because “hacking is a crime” is incredibly shallow, enough to be called wrong, as wrong as ‘picking locks is illegal’. It’s illegal to hack into a system *when you’re not authorized to*. Cybersecurity professionals routinely attempt to penetrate their own organizations and those that hire them in order to find flaws; this is an entire field conducted entirely legally. ‘White hat’ hacking, vs ‘black hat’– the illegal variety. It’s not illegal to crack passwords on your own files when you’ve forgotten.
So too is much lockpicking legal. But it’s a skill easily abused and commonly used for illegal purposes. (I’d argue criminals who lockpick are far more uncommon than hackers doing it legally; why pick a lock when the house next door left their window open?). It’s a perfectly fine analogy.if you’re familiar with the basics of either cybersecurity, or the laws around it, I take it you’re not.
I am, and I was responding to Ben who brought up organic chemistry. I failed to get him or you to talk about the actual topic. I apologize. If you had anything to contribute it’s in the part where you might know more about cybersecurity than I do. You should have talked more about those legitimate uses of the knowledge discussed and how they might be useful to an attorney even if lawyers aren’t going to be routinely attempting to penetrate their own organizations professionally.
Instead you asked about me and then doubled down on stupid and irrelevant. TT sucks.
It would make as much sense to teach them how to commit every other kind of crime a large corporate client might encounter. This really hasn’t been the role of law schools traditionally, and seems likely to detract from the ostensible goal of actually preparing them to practice law.
As an IT-security professional I have a somewhat different viewpoint than you, and I think, Shapiro is right. Companies like Microsoft, Cisco, IBM…, national intelligence services as well as public officials, whoms offices recently had to pay ransom, pray to us day for day, how Security and Cybercrime are “a highly technical feat […] cybercrime is a sophisticated high-tech feat”.
We were hacked – not because we were too dumb/negligent/lazy to secure our perimeter, but because the russian (chinese, korean) hackers are sooooo sophisticated. Unavoidable, an absolutely unforeseeable natural catastrophe…
That is bullshit. Cybercrime mostly works on an appaling low level of technical skill and knowledge. Cybercrime works, because lot of the people responsible for security in private offices, by far the most ‘security officers’ in public offices, are simply not up to their jobs. I’m writing as a german, but I don’t think, that the IT skills in U.S. public offices are much higher. They don’t try to secure their nets, their data. They don’t try to avoid data collection whenever possible. They don’t try not to put sensible data into the cloud. The try to buy security based on technical solutions. That simply don’t work.
Any public servant, especially lawyers, should not only know, how and why they are responsible for the giant wealth of data they daily manage – data, which affects all of our lives often down to the last detail.
They should be able to ask – and to understand – why a hack was succesfull. They should be able to understand, which procedures and protocols were in effect to avoid security incidents and when they learn, that those procedures and protocols were nothing but the usual and common ‘We bought microsoft cloud, we paid for a firewall and we made sure our scanner got latest signatures’ (which sums up to ‘We openly invited the hackers’) than they should be able to call the responsible guys to account.
If you want to secure your home against a sophisticated burglar, learn to think like a burglar. If you want to protect your data, think like a hacker.
It’s big fun, too.
A little bit of knowledge can be a dangerous thing