Slashdot Mirror
Canadian University to Begin Training Hackers
torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
WHO LET THE H4X0RS OUT?
l33t,l337,l33t,1337
WHO LET THE H4X0RS OUT?
l33t,l337,l33t,1337
WHO LET THE H4X0RS OUT?
l33t,l337,l33t,1337
WHO LET THE H4X0RS OUT?
l33t,l337,l33t,1337
WHO LET THE H4X0RS OUT?
l33t,l337,l33t,1337
I just read a good article on this too. Apparently, if we train hackers at a young age, we can control them, and get much more work done. Read the article at http://www.cs.berkley.edu/~bh/hackers.html
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
I'm sure they will be ACCUSED of it, but I think everyone here sees the real reason. How can you know how to secure your systems if you don't know what the virus writers are doing?
And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.
Crackers, not hackers.
I understand this is a losing battle but lets not get it wrong on slashdot.
Siggy Say, Siggy Do
The fact they are learning the hows of a skill does not mean they will use the skill maliciously. :)
In fact, when educated, most people will use their powers for good, not evil..
Important info:
http://www.lifeaftertheoilcrash.net
http://dieoff.org/synopsis.htm
http://www.peakoil.net
You gain a certain understanding for certain things when you're "at the wrong end of a telnet session" A lot of that knoweldge can be used for protecting against the same exploits. If they're writing viruses, maybe instead of having a definition file for each virus that has to constantly be updated, they could author some detection scheme that monitors for activity that is like a virus, or certain function within the code that can be stopped much simpler than the current methods
--fetch daddy's blue fright wig, i must be handsome when i release my rage
will this be offered as an online course?
Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
Oh! Oh! I Know! Is it...terrorists?
Triv
Skills:
Comment:
While I realize the above skills may not be entirely useful for the position described, I have noted that you do have an internet connection to your primary server via IP address 66.35.250.150. Would you like me to tell you your root password during an interview, or should I be ready work at 8:30am tomorrow?
maybe it's just me, but this article has a rather tabloid-esque sensanionalist feel to it. where did they get the figure of $1.6-trillion of damage done by viruses? that's just not believable. then they quote unspecified "experts" and refer to vaguely conspiratorial theories of government-hired hackers in a "secret laboratory".
basically, they are printing a new course announcement and mixed it in with a bunch of hyped up BS in order to make it look like a real article.
Well, I'm quite proud to be an (adopted) Canadian. I see this as just another way for us to poke the Nazi Americans...what with SARs, mad cow, and our threat to decriminalize pot...why shouldn't we just push the envelope a little more? ;-)
We also maintain a threatening lead in Zamboni technology. [This borrowed from Canadian Bacon].
you know, I've been working through the idea of a "hacking 101" course for pre-university students. Think about the concepts to you need to understand how to write a "simple" stack overflow ; all about how programs execute, how system calls work, machine language, probably network programming. Let alone the actual C and ASM hackery skills. More advanced hacks like infecting dynamic libraries etc require even more knowledge. By the end of it, you'd come out at least knowing if you liked computer science. I wish someone had done this for me when I was 16 or 17. Take the class over a few weeks, introducing one concept a week and then have a go at writing that part of your exploit.
...
It has been suggested to me that I might as well just teach a basic operating systems class, but it doesn't have to same ring to it
After all, by studying how viruses are made, you can better understand them and thus make better anti-virus software. The kids going here are not going because they want to learn to be L33T cyber hackers or whatever, but knowing the tools of the trade (white and black hat) will help them in the computer programing/protection field.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
No matter what path they choose, whether to be malicious hackers or peacekeeping notify-devs-before-it-gets-noticed types, the end result will be the same: better code.
Now if only we can get MS to believe what us open source folks have been saying for years!
I live within walking distance of this university and I am a professional developer and have been for a number of years. Last fall I contacted their IT people and asked if they have any courses on C++ cross platform development. (Rightly or wrongly I elected to use wxWindows and C/C++ from now on - but I still ahve a lot of legacy code of course).
I was suprised at the raw nerve I seemed to have hit with the prof I was speaking to because she became somewhat defensive.
My position is that if we for instance go to sourceforge and check the projects that we will find that C/C++ is perhaps the most popular language for these projects. If I look at my development requirements my conclusion is that C/C++ is THE ONLY viable languge I would even consider using! In my career I have programmed on over 13 platforms and I have used over 13 languages - many of which are now obsolete. I don't think I am biased towards C/C++ or say biased away from say Java. I have my career and at this point in my life I am managing it! I encourge all other programmers to do likewise. What this means is that for me - if a client asks me to program in VB, Java, etc. my answer is that I will NOT take on the job.
Given my strong feelings that C/C++ will be here for the foreseeable future - I find it totally ironic that the U of "C" doesn't even teach "C".
As such - I consider them rather irrelevant.
Furthermore as it turns out I was at the OpenBSD hackathon BBQ last weekend and made the point of asking the hackers how much Java there is in OpenBSD. They laughed. When I asked about C++ they were a little more serious and consided that perhaps there is some somewhere.
So I commented to them that the Uof"C" doesn't teach "C" and was actually quite surpised to hear one chap pipe up that his company doesn't hire UofC IT grads.
I think this is a really sad testiment to the department actually. My opinion is that they have a strong Java / M$ bias and I think this is rather sad. Just MHO...
--------------
BTW - these comments should not be construed to critisize Ruby, Python, Perl, Bash, PHP etc. These langages all have their place and I use some of them. My comments are about the use of C/C++ for general purpose applications development where you might end up with 50,000+ lines of code.
sorry.
--
cHris
One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?
There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)
The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.
Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.
Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.
The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.
I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.
Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.
I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.
Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup
Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?
Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.
This will let Bush make all those jokes about invading Canada become a reality.
Wait, I meant liberate Canada from cyber terrorists.
Outdoor digital photography, mostly in New Engl
The 'Eh?" virus coming our way.
If America and Canada got into a war, where would all the draft dodgers go?
"Everyone is entitled to their own opinion, but not their own facts."
This method would also be cheap in terms of raw materials. If you can threaten an attacking country with the destruction of their economy or failure of basic utillity systems, without having to mobilize a pile of troops, you're money ahead. Sounds like a plan.
I'd toyed about the concept of building a virus with a beneficial payload, but gave it up as it's is ethically cloudy to say the least. For instance, new vulnerabilty reported? Write a virus that exploits (and patches) it. It could conceptually at least spread at the same speed as the original virus. While that may not always be practical (it would depend obviously on the vulnerability and how complex the patch was) there is the ethical consideration that I have absolutely no rights (read that Eula!) to "attack" your system and "fix" it. Plus, my idea of a "fix" (this product doesn't do DRM correctly) may not equate to yours ("this program does do DRM correctly"). Another alternative would be to replicate the virus logic, with a benign payload "Hey! Sysadmin! Did you know you are vulnerable to - you should go get patch from ..."
Disgruntled Professor in said subject goes insane (but his inherent humanity remains for later purposes in the script, naturally) and writes a virus that will 'bring down the planets computing power'. Former student and star of the class is brought in (obviously from somewhere and time at which they for some reason cannot face computers (possibilities: severe RSI, Epilepsy set off miraculously by 65-85Hz screens, Blindness...) to defeat the mad professor, before the final showdown with badly executed profundities.
And all the computer scenes have to use a bizarre and unique 3D styled UI, that looks wholly unusable, and slightly, if not completely frustrating.
Geee, I can't wait *lays on the fake exuberance*. These things always happen when something becomes more mainstream.
I recommend strongly that anyone in a role like mine take some time to study viruses, exploits, rootkits, and other pieces of hostile code. These are a basic part of the security environment in the field. The more you understand the crap that the Net's rejects and crackheads are throwing at you, the better a job you can do.
Here's just one example of what we can learn from viruses; a bit of an older example, so I'm not doing too much of your work for you:
Let's say your client is considering a bonehead move -- like, say, deploying Microsoft Outlook enterprise-wide. Any security nerd can say "duh, Outlook sux0r, it's full of vulnerabilities, that's why it spreads viruses." However, if you have read the source code of the LoveLetter and Melissa viruses, you will realize (and can explain to your client) that these viruses do not exploit vulnerabilities at all -- at least, not in the sense of buffer overflows and other attacks which target bugs in software. These viruses don't crack anything -- they use perfectly ordinary, documented API calls. It isn't holes in the Windows Mail API that make it a virus breeding ground -- it's just its built-in, designed, intended functionality. That's why these viruses can still spread after years of bug fixes: their critical paths do not rely on bugs at all.
What do we learn from these viruses? Security is not about patching bugs, or having bug-free software. It is about correctly modeling the trust relationships people have with each other regarding their computer resources, in software. The Windows MAPI's design implies an assumption that people want to entrust word-processing documents with the power to send hundreds of emails. That's obviously wrong -- and that, not any bug, is what must be explained to convince someone that Microsoft's mail software is a bad security choice.
There are many more lessons to be learned by understanding hostile code. There are lessons about user interface design: many email viruses depend on getting the user to take some action (opening a message, running a macro, etc.) which unintentionally grants the virus trust and privilege (even the privilege to run code) that it should not have. To design secure systems for users, we must have user interfaces which do not promote such deception. There are lessons about system monitoring and the habits of sysadmins: Unix rootkits, which alter the system to conceal the tracks of an attacker, show just how easily a too-shallow maintenance or log-checking routine can be deceived. There are many lessons.
Get yourself some virus source code. Google will help. Read rootkit code, and the analyses thereof which researchers on SecurityFocus and other sites have published. Understand these attacks, and you will understand the systems they target better than you do now.
The best bomb creators make the best bomb technitions.
:)
I'll take anti-virus software from the most "evil" virus creating minds in the industry over some programming wannabe's anti-virus software.
This is granted that these "evil" virus creating minds arn't too "evil" and put back-doors in their anti-virus software
- Jeff
Modesty is one of life's greatest attributes
if ($Hacking == $VirusWriting)
{ print "the media has won"; }
for goodness sake...
mix_master_mike
vafrous
The instructor is Dr. John Aycock, and he's definitely one of the better instructors we have in CPSC. His focus is in compilers and OS's, and taught the 3rd-year OS class for I think the first time last Winter.
He definitely has a strong security focus in his courses, and has one of the highest standards I've encountered in a prof regarding testing ( after turning in our implementation of an md5 hash as a system call in OpenBSD, he asked the class if anyone had tried testing with 1 Gb input strings. Just an example).
There's another course with a similar bent - a 4th year SysAdmin course that's year-long and involves substantial network programming. I'm told that the instructors will take down the network during your examination, forcing you to fix things while still completing your test online. Past grads also like to hammer the servers the students setup.
Personally, I'm glad to see these courses - most of these problems are things I've no clue about or would even think about how to prevent. Exposure is a start.
-- "We are all in the gutter, but some of us are looking at the stars" [Oscar Wilde]
My university here in California teaches a course similar to this at the 4th year undergrad or graduate level.
I just finished writing my final exam (actually, a report) in the "Network Security" class. It was actually quite fun. The class is divided into several teams of 3 or 4 students and each team sets up an e-commerce site that is visited by an administrative team that logs successful transactions from their own machines.
Each team's job is to keep their site up while simultaneously trying to knock other teams off of the network. Each site uses two machines with two different operating systems: Redhat 8 and Windows XP professional.
Needless to say, we checked the security and hacking sites several times a day to make sure to be aware of new exploits creeping out.
Hack sessions were "anything goes", we basically progressed from larval stage (script kiddie) to juvenile (perl, java and C based exploits.
No one wrote any new exploits this time around, but a whole new batch of wet-behind-the-ears "hackers" are released from this univeristy every semester.
Of course, the purpose of the class is to create an environment where teams can learn about security by practicing the arts of the "Black Hat". It was surely the most fun I have had yet in the university.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
I could prove it: http://pages.cpsc.ucalgary.ca/~erik
But, looks like someone has been doing some early studying for the course; our DNS is pooched. Oh well, its after hours now - it'll have to wait until tomorrow...
No sig for you.
The first year results are held on an unpatched IIS box.
:o)
For your final exam, there's a security certified server that holds your results. If you can give yourself an A+, you probably deserve it.
Xix.
"Everything is adjustable, provided you have the right tools"
Hacker != Cracker
:). Crackers are malicious people who want to cause electronic anarchy and chaos. Now there is no denying that some of the hackers the university wants to train may go over to the dark side, but most of them will stay on the light side.
Hackers are people who try to make computers do innovative new things. Bill Gates is a hacker (Manages to slow your computer down as fast as Moore's Law speeds it up...). Ok... Eh, bad example
A different analogy: Hiring a cracker is like putting a serial bomber on the SWAT bomb squad. Hiring a hacker is like hiring someone with a natural gift for diffusing bombs.
When they're on our side, they're called Freedom Fighters!
In Soviet America the banks rob you!
Former student and star of the class is brought in (obviously from somewhere and time at which they for some reason cannot face computers (possibilities: severe RSI, Epilepsy set off miraculously by 65-85Hz screens, Blindness...) to defeat the mad professor, before the final showdown with badly executed profundities.
Nah, the former star student would be in jail and would be released a la The Jackal to catch the mad professor. Then they would let him "disappear" only to find him later at a cybercafe dead due to bloodclots in his legs...
Dacels Jewelers can't be trusted.
Writing viruses was actually covered in the assembly language class I took at UMaine circa 1992, in the last chapter of the instructor-written textbook. The rationale in that case was that in informing CS students how easy it is to write viruses, they would no longer see them as technically impressive and therefore not be interested in pursuing their creation. (I just taught my first assembly class this past semester, and use this as an anecdote without actually covering it myself.)
Since I have the text right here, I'll quote it: "...you do not have to be a genius to write a virus... Some people use virus writing to prove their programming skill, but this is poor proof of such skill in my opinion. It's about as much proof of genius as throwing a brick through a window."
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
It's about time CS students got back to learning some proper programming languages, methods, algorithms and system-level understanding. Having seen numerous UK Universities go from teaching assembler and hardware-level courses to being a middle-of-the-road Microsoft house, I think this type of course can give students a true understanding of the systems with which they're working. I just hope they're not only concentrated on .Net viri built using a template "virus wizard".
--
Core Wars should be part of every curriculum!
Contribute to the online videogame encyclopedia: GamerWiki
Canadian University to Begin Training Hackers! They plan to be the third world largest hacker training ground, just after MIT and Berkley! Watch news at 9 pm! *sigh*
Karma: Positive (probably because of superiour intellect)
"Know your enemy, know yourself and in a hundred battles you shall not lose"
:)
Sun Tzu
Never by hatred has hatred been appeased, only by kindness - the Buddha
But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.
Readers who find this idea interesting may want to read This Alien Shore by C.S. Friedman. While it's nothing relevant to current technology, it describes an interesting scenario of a well-written virus, and describes it from the point of view of both an untrained "cracker" and a schooled, skilled, & specialized "security specialist."
If you don't understand it, then your options in fighting it are limited. A noob running a blade cluster on a t3 line has only one option when some script kiddie takes over his system: unplugging it. Far from optimal.
We have all this "anti-virus" software, but it is completely misnamed. If you get a flu shot, it's not an anti-virus, its a pallative. A weak shield against infection, not an active agent of protection. The same goes for the software that we currently use. I want to be able to unleash righteous nastyness against the damn viruses in my system, not poke around with fricking bloated software that's always playing catch up.
Until we learn to beat them at their own game, then it will BE their game.
Just my opinion.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.