Slashdot Mirror

← Back to Stories (view on slashdot.org)

Canadian University to Begin Training Hackers

Posted by CowboyNeal on from the learning-from-the-other-side dept.

torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"

7 of 350 comments (clear)

  1. Don't overreact by Mossfoot · · Score: 4, Insightful

    After all, by studying how viruses are made, you can better understand them and thus make better anti-virus software. The kids going here are not going because they want to learn to be L33T cyber hackers or whatever, but knowing the tools of the trade (white and black hat) will help them in the computer programing/protection field.

    --
    Fuzzy Knights: New RPG Strips Tuesday and Friday!:
    http://www.fuzzyknights.com
  2. Re:Crackers by RobotRunAmok · · Score: 4, Insightful

    losing battle

    Lost, son. Circa 15 years ago. Woulda helped had we picked a word not already firmly ensconced in both the vernacular (thin biscuit) AND slang (narrow-minded Southern whitey) simultaneously. 'Cracker' never stood a chance; teenage cabals can *suggest* lanaguage, but it's up to the media to bless it and disseminate it.

    Just let it go. As a geek patheticism, insisting on the use of the word "cracker" over "hacker" is starting to rank up there with wearing one's plastic Vulcan ears out in public.

  3. Re:They might be accused... by caouchouc · · Score: 5, Insightful

    As a software engineer, I have to say that the perceived "skill" required to write a virus is blown way out of proportion.

    There's nothing inherently special about a virus or a worm. They're actually very simple, and most malware writers today are not very talented. They produce bloated, barely functional software (scripts, for the most part today) that is only dangerous because the average user is so trusting. I remember when viruses were actually smaller than the files they infected...

    Got coders in your firm? If they're capable of writing inter-operation layers for your apps or database frontends, then they're capable of writing viruses and worms far worse than bugbear. But chances are they don't, because it's a waste of time.

    Those students don't need specialized virus-writing courses. A simple assembly course would put them lightyears ahead of the "bad guys" if they actually paid attention for once.

  4. Re:They might be accused... by ryanr · · Score: 4, Insightful

    You don't secure systems against viruses. You have to secure people against them. They're a behavioral problem. A virus doesn't need any kind of flaw to propagate, it just needs a trusting person. You could write a bugless operating system, and as long as a regular user can use it to get useful work done, then the same user can also infect it through neglect, ignorace, or maliciousness.

  5. Studying viruses is important by Frater+219 · · Score: 4, Insightful
    My job includes being the computer security guru for my workplace. In that role, it's my job to understand the way my clients' systems work, so that I can recommend effective operational ways to improve their security. It's also my job to understand the world of attacks -- not just keeping my ear to the ground regarding what kind of shit is going down at the moment, but understanding what attacks are possible, which are likely, and which are worthy of taking special defensive measures.

    I recommend strongly that anyone in a role like mine take some time to study viruses, exploits, rootkits, and other pieces of hostile code. These are a basic part of the security environment in the field. The more you understand the crap that the Net's rejects and crackheads are throwing at you, the better a job you can do.


    Here's just one example of what we can learn from viruses; a bit of an older example, so I'm not doing too much of your work for you:

    Let's say your client is considering a bonehead move -- like, say, deploying Microsoft Outlook enterprise-wide. Any security nerd can say "duh, Outlook sux0r, it's full of vulnerabilities, that's why it spreads viruses." However, if you have read the source code of the LoveLetter and Melissa viruses, you will realize (and can explain to your client) that these viruses do not exploit vulnerabilities at all -- at least, not in the sense of buffer overflows and other attacks which target bugs in software. These viruses don't crack anything -- they use perfectly ordinary, documented API calls. It isn't holes in the Windows Mail API that make it a virus breeding ground -- it's just its built-in, designed, intended functionality. That's why these viruses can still spread after years of bug fixes: their critical paths do not rely on bugs at all.

    What do we learn from these viruses? Security is not about patching bugs, or having bug-free software. It is about correctly modeling the trust relationships people have with each other regarding their computer resources, in software. The Windows MAPI's design implies an assumption that people want to entrust word-processing documents with the power to send hundreds of emails. That's obviously wrong -- and that, not any bug, is what must be explained to convince someone that Microsoft's mail software is a bad security choice.


    There are many more lessons to be learned by understanding hostile code. There are lessons about user interface design: many email viruses depend on getting the user to take some action (opening a message, running a macro, etc.) which unintentionally grants the virus trust and privilege (even the privilege to run code) that it should not have. To design secure systems for users, we must have user interfaces which do not promote such deception. There are lessons about system monitoring and the habits of sysadmins: Unix rootkits, which alter the system to conceal the tracks of an attacker, show just how easily a too-shallow maintenance or log-checking routine can be deceived. There are many lessons.

    Get yourself some virus source code. Google will help. Read rootkit code, and the analyses thereof which researchers on SecurityFocus and other sites have published. Understand these attacks, and you will understand the systems they target better than you do now.

  6. 10 years ago... by dcollins · · Score: 4, Insightful

    Writing viruses was actually covered in the assembly language class I took at UMaine circa 1992, in the last chapter of the instructor-written textbook. The rationale in that case was that in informing CS students how easy it is to write viruses, they would no longer see them as technically impressive and therefore not be interested in pursuing their creation. (I just taught my first assembly class this past semester, and use this as an anecdote without actually covering it myself.)

    Since I have the text right here, I'll quote it: "...you do not have to be a genius to write a virus... Some people use virus writing to prove their programming skill, but this is poor proof of such skill in my opinion. It's about as much proof of genius as throwing a brick through a window."

    --
    We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
  7. Re:They might be accused... by Saint+Stephen · · Score: 4, Insightful

    The fact that most viruses are so simple should scare the hell out of you. All virii to date just rely on the hosts ignorance -- the virus writer knows something the host doesn't. Plus, even the worst attacks are just annoyances. You haven't seen a really evil virus.

    Like, what if the next virus directs all the modems to dial 911 at the same time, and coordinates that with a real world terrorist attack?

    I use the analogy that current virus writers are like Palestinians strapping bombs to themselves and blowing themselves up -- any fool can do it, you just have to sneak past. You haven't seen the Al Quaeda of viruses yet.