Slashdot Mirror
Canadian University to Begin Training Hackers
torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
I just read a good article on this too. Apparently, if we train hackers at a young age, we can control them, and get much more work done. Read the article at http://www.cs.berkley.edu/~bh/hackers.html
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
I'm sure they will be ACCUSED of it, but I think everyone here sees the real reason. How can you know how to secure your systems if you don't know what the virus writers are doing?
And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.
One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?
There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)
The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.
Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.
Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.
The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.
I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.
Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.
I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.
Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup
Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?
Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.
I know this is intended to be funny, but I think people would be surprised at just how good this can look on a resume.
I did an internship with one of our government departments, involving 'security research'. Sure, an hour a day was occupied reviewing firewall/IDS logs, but the rest of the time was spent developing and testing exploits. It was a hell of a lot of fun, and I gotta tell you - I have a deeper understanding of the TCP/IP protocol suite than anyone in their right mind could want, I can code shellcode in my sleep, and writing a self-modifying virus that evades most signature-based scanners is something far from impossible now.
I gotta tell you, the right employer drools at this, because it's not something a person picks up in school, and the vast majority of people that know anything about it are really no more than glorified script kiddies. When it comes time to harden a system WELL, or set up an IDS so that it's actually useful, or write a virus scanner that will actually work 2 days after it's released onto the market... it helps to have a clue what you're doing.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.