Releasing notes from the sociotechnical ethical hacking course

Sara-Jayne Terp
4 min readOct 18, 2023

It’s been a while (my dayjob is kinda full-on), but I’m going to start working through my pre-dayjob notes and release them here.

First up: the Sociotechnical Hacking course I ran at the University of Maryland. All the slides are here: https://drive.google.com/drive/folders/1O7aQhvIKIEcY0oIj7gTGZVb3OYLdAk2p?usp=sharing — nb several of them need updating. The course summary was:

Welcome to INST408C, Sociotechnical ethical hacking

This course ethically explores hacking in all its forms. Each week we look at a different aspect of systems vulnerability (reverse engineering, social engineering, communications architectures etc), and how it applies to a variety of systems including people, locks, PCs, computer networks, hardware, cars, aerospace, space, radio, elections, and robotics. These explorations will be grounded in ethics and socio-technical systems theory, and all discussions will be on a purple team “you break it, you fix it” basis.

The course is divided into three main parts: knowledge, skills, and ability, where:

  • Knowledge is the things that you know; it’s theoretical rather than practical, but it often underpins your practical skills. The course has an asynchronous lecture each week, focussing on knowledge.
  • Techniques are the things that you use in practice to achieve your objectives. Before each practical class, we’ll cover needed techniques and tools, and check that you’re set up to use them.
  • Skills are your abilities to do the things that you need to achieve your objectives. The weekly practical classes are designed to help you (safely) hone your skills.

Ultimately, you should come out of this course knowing underpinning theories, understanding what you need to do to put that into practice, capable of at least basic techniques in each area, and with enough links for you to dig further into areas that interest you, if you wish. If your passion is for defensive cybersecurity, you should hopefully have a better understanding of what it is that you’re protecting systems against.

This is not your standard “ethical hacking” course

Most other courses cover the code-and-wires parts of information security. This course goes beyond that into sociotechnical security — that we’re protecting systems made up of people, processes, technology, cultures, and that any and every part of those systems can be hacked, or used in a hack.

If you do want to do standard “ethical hacking”, there are many good courses out there on ethical hacking and pentesting, including this one from UMD’s computer science department. There are also books designed to help you pass one of the ethical hacking exams; for instance, Matt Walker’s book “all in one certified ethical hacker” has sections on:

  • Ethical hacking fundamentals
  • Reconnaissance and footprinting
  • Scanning and enumeration
  • Sniffing and evasion
  • Attacking a system
  • Hacking web servers and applications
  • Wireless network hacking
  • Mobile, IoT, and OT
  • Security in cloud computing
  • Trojans and other attacks, including malware analysis
  • Cryptography
  • Social engineering and physical security
  • Penetration testing

We’re looking wider than that. We’re in an age when anything and everything, including your beliefs and community ties, are being hacked, often as part of nationstate actions. We need to guard against these types of hack, and think creatively about how they work. This course covers hacking fundamentals, but it also looks at the systems around targets like people, buildings, software, algorithms, electromagnetic waves, hardware, and vehicles.

There are already people looking at systems in this way — good examples are DEFCON and Chaos Computer Congress talks / villages, and books like the Car Hackers Handbook. For this course, we’ll be concentrating on knowledge, techniques, and applications, with examples like:

Knowledge / background principles

  • Introduction
  • Laws, ethics, and risks
  • Sociotechnical systems
  • Red and purple teaming
  • Machine communications
  • Getting creative

Skills / techniques

  • Reconnaissance
  • Cryptography
  • Forensics
  • Social engineering
  • Reverse engineering

Practice / applications: People

  • Hacking yourself (systems thinking)
  • Elections (mixed security modes)
  • Social media (social engineering)

Practice/applications: Buildings

  • Locksports (vulnerabilities)
  • Buildings and physical (don’t harm self)

Practice/applications: Software

  • Web applications
  • Personal computers

Practice/applications: Algorithms

  • Machine learning (adversarial AI)
  • Robotics / automation (don’t harm others)
  • Maps and algorithms (back doors)

Practice/applications: Hardware

  • Assembler (microcontrollers)
  • Hardware (IoT)
  • Radio (AISB etc)

Practice/applications: Vehicles

  • Cars (canbuses and bypasses)
  • Aerospace (reverse engineering)
  • Satellites (remote commands)

Class principles

First, do no harm

  • Ethics = risk management
  • Don’t harm others (harms frameworks)
  • Don’t harm yourself (permissions etc)
  • Fix what you break (purple teaming)

It’s systems all the way down

  • Infosec = systems (sociotechnical infosec)
  • All systems can be broken (with resources)
  • All systems have back doors (people, hardware, process, tech etc)

Psychology is important

  • Reverse engineering = understanding someone else’s thoughts
  • Social engineering = adapting someone else’s thoughts
  • Algorithms think too (adversarial AI)

Be curious about everything

  • Curiosity is a hacker’s best friend
  • Computers are everywhere (IoT etc)
  • Help is everywhere (how to search, how to ask)

Structure of each week

Tuesday:

  • Recorded class
  • Focus on one or more fundamental concepts
  • Assignment: gather information about this week’s class discussion

Thursday:

  • In-person + zoom class discussion
  • Focus on an application area
  • Guest hackers if we have them
  • Revision lecture before each exam
  • Guided study period during heavy project weeks

--

--