Slashdot Mirror
Canadian University to Begin Training Hackers
torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
I just read a good article on this too. Apparently, if we train hackers at a young age, we can control them, and get much more work done. Read the article at http://www.cs.berkley.edu/~bh/hackers.html
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
I'm sure they will be ACCUSED of it, but I think everyone here sees the real reason. How can you know how to secure your systems if you don't know what the virus writers are doing?
And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.
Crackers, not hackers.
I understand this is a losing battle but lets not get it wrong on slashdot.
Siggy Say, Siggy Do
The fact they are learning the hows of a skill does not mean they will use the skill maliciously. :)
In fact, when educated, most people will use their powers for good, not evil..
Important info:
http://www.lifeaftertheoilcrash.net
http://dieoff.org/synopsis.htm
http://www.peakoil.net
You gain a certain understanding for certain things when you're "at the wrong end of a telnet session" A lot of that knoweldge can be used for protecting against the same exploits. If they're writing viruses, maybe instead of having a definition file for each virus that has to constantly be updated, they could author some detection scheme that monitors for activity that is like a virus, or certain function within the code that can be stopped much simpler than the current methods
--fetch daddy's blue fright wig, i must be handsome when i release my rage
will this be offered as an online course?
Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
Oh! Oh! I Know! Is it...terrorists?
Triv
Skills:
Comment:
While I realize the above skills may not be entirely useful for the position described, I have noted that you do have an internet connection to your primary server via IP address 66.35.250.150. Would you like me to tell you your root password during an interview, or should I be ready work at 8:30am tomorrow?
maybe it's just me, but this article has a rather tabloid-esque sensanionalist feel to it. where did they get the figure of $1.6-trillion of damage done by viruses? that's just not believable. then they quote unspecified "experts" and refer to vaguely conspiratorial theories of government-hired hackers in a "secret laboratory".
basically, they are printing a new course announcement and mixed it in with a bunch of hyped up BS in order to make it look like a real article.
Well, I'm quite proud to be an (adopted) Canadian. I see this as just another way for us to poke the Nazi Americans...what with SARs, mad cow, and our threat to decriminalize pot...why shouldn't we just push the envelope a little more? ;-)
We also maintain a threatening lead in Zamboni technology. [This borrowed from Canadian Bacon].
After all, by studying how viruses are made, you can better understand them and thus make better anti-virus software. The kids going here are not going because they want to learn to be L33T cyber hackers or whatever, but knowing the tools of the trade (white and black hat) will help them in the computer programing/protection field.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
No matter what path they choose, whether to be malicious hackers or peacekeeping notify-devs-before-it-gets-noticed types, the end result will be the same: better code.
Now if only we can get MS to believe what us open source folks have been saying for years!
I live within walking distance of this university and I am a professional developer and have been for a number of years. Last fall I contacted their IT people and asked if they have any courses on C++ cross platform development. (Rightly or wrongly I elected to use wxWindows and C/C++ from now on - but I still ahve a lot of legacy code of course).
I was suprised at the raw nerve I seemed to have hit with the prof I was speaking to because she became somewhat defensive.
My position is that if we for instance go to sourceforge and check the projects that we will find that C/C++ is perhaps the most popular language for these projects. If I look at my development requirements my conclusion is that C/C++ is THE ONLY viable languge I would even consider using! In my career I have programmed on over 13 platforms and I have used over 13 languages - many of which are now obsolete. I don't think I am biased towards C/C++ or say biased away from say Java. I have my career and at this point in my life I am managing it! I encourge all other programmers to do likewise. What this means is that for me - if a client asks me to program in VB, Java, etc. my answer is that I will NOT take on the job.
Given my strong feelings that C/C++ will be here for the foreseeable future - I find it totally ironic that the U of "C" doesn't even teach "C".
As such - I consider them rather irrelevant.
Furthermore as it turns out I was at the OpenBSD hackathon BBQ last weekend and made the point of asking the hackers how much Java there is in OpenBSD. They laughed. When I asked about C++ they were a little more serious and consided that perhaps there is some somewhere.
So I commented to them that the Uof"C" doesn't teach "C" and was actually quite surpised to hear one chap pipe up that his company doesn't hire UofC IT grads.
I think this is a really sad testiment to the department actually. My opinion is that they have a strong Java / M$ bias and I think this is rather sad. Just MHO...
--------------
BTW - these comments should not be construed to critisize Ruby, Python, Perl, Bash, PHP etc. These langages all have their place and I use some of them. My comments are about the use of C/C++ for general purpose applications development where you might end up with 50,000+ lines of code.
One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?
There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)
The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.
Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.
Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.
The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.
I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.
Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.
I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.
Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup
Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?
Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.
The 'Eh?" virus coming our way.
If America and Canada got into a war, where would all the draft dodgers go?
"Everyone is entitled to their own opinion, but not their own facts."
This method would also be cheap in terms of raw materials. If you can threaten an attacking country with the destruction of their economy or failure of basic utillity systems, without having to mobilize a pile of troops, you're money ahead. Sounds like a plan.
Disgruntled Professor in said subject goes insane (but his inherent humanity remains for later purposes in the script, naturally) and writes a virus that will 'bring down the planets computing power'. Former student and star of the class is brought in (obviously from somewhere and time at which they for some reason cannot face computers (possibilities: severe RSI, Epilepsy set off miraculously by 65-85Hz screens, Blindness...) to defeat the mad professor, before the final showdown with badly executed profundities.
And all the computer scenes have to use a bizarre and unique 3D styled UI, that looks wholly unusable, and slightly, if not completely frustrating.
Geee, I can't wait *lays on the fake exuberance*. These things always happen when something becomes more mainstream.
I recommend strongly that anyone in a role like mine take some time to study viruses, exploits, rootkits, and other pieces of hostile code. These are a basic part of the security environment in the field. The more you understand the crap that the Net's rejects and crackheads are throwing at you, the better a job you can do.
Here's just one example of what we can learn from viruses; a bit of an older example, so I'm not doing too much of your work for you:
Let's say your client is considering a bonehead move -- like, say, deploying Microsoft Outlook enterprise-wide. Any security nerd can say "duh, Outlook sux0r, it's full of vulnerabilities, that's why it spreads viruses." However, if you have read the source code of the LoveLetter and Melissa viruses, you will realize (and can explain to your client) that these viruses do not exploit vulnerabilities at all -- at least, not in the sense of buffer overflows and other attacks which target bugs in software. These viruses don't crack anything -- they use perfectly ordinary, documented API calls. It isn't holes in the Windows Mail API that make it a virus breeding ground -- it's just its built-in, designed, intended functionality. That's why these viruses can still spread after years of bug fixes: their critical paths do not rely on bugs at all.
What do we learn from these viruses? Security is not about patching bugs, or having bug-free software. It is about correctly modeling the trust relationships people have with each other regarding their computer resources, in software. The Windows MAPI's design implies an assumption that people want to entrust word-processing documents with the power to send hundreds of emails. That's obviously wrong -- and that, not any bug, is what must be explained to convince someone that Microsoft's mail software is a bad security choice.
There are many more lessons to be learned by understanding hostile code. There are lessons about user interface design: many email viruses depend on getting the user to take some action (opening a message, running a macro, etc.) which unintentionally grants the virus trust and privilege (even the privilege to run code) that it should not have. To design secure systems for users, we must have user interfaces which do not promote such deception. There are lessons about system monitoring and the habits of sysadmins: Unix rootkits, which alter the system to conceal the tracks of an attacker, show just how easily a too-shallow maintenance or log-checking routine can be deceived. There are many lessons.
Get yourself some virus source code. Google will help. Read rootkit code, and the analyses thereof which researchers on SecurityFocus and other sites have published. Understand these attacks, and you will understand the systems they target better than you do now.
The instructor is Dr. John Aycock, and he's definitely one of the better instructors we have in CPSC. His focus is in compilers and OS's, and taught the 3rd-year OS class for I think the first time last Winter.
He definitely has a strong security focus in his courses, and has one of the highest standards I've encountered in a prof regarding testing ( after turning in our implementation of an md5 hash as a system call in OpenBSD, he asked the class if anyone had tried testing with 1 Gb input strings. Just an example).
There's another course with a similar bent - a 4th year SysAdmin course that's year-long and involves substantial network programming. I'm told that the instructors will take down the network during your examination, forcing you to fix things while still completing your test online. Past grads also like to hammer the servers the students setup.
Personally, I'm glad to see these courses - most of these problems are things I've no clue about or would even think about how to prevent. Exposure is a start.
-- "We are all in the gutter, but some of us are looking at the stars" [Oscar Wilde]
My university here in California teaches a course similar to this at the 4th year undergrad or graduate level.
I just finished writing my final exam (actually, a report) in the "Network Security" class. It was actually quite fun. The class is divided into several teams of 3 or 4 students and each team sets up an e-commerce site that is visited by an administrative team that logs successful transactions from their own machines.
Each team's job is to keep their site up while simultaneously trying to knock other teams off of the network. Each site uses two machines with two different operating systems: Redhat 8 and Windows XP professional.
Needless to say, we checked the security and hacking sites several times a day to make sure to be aware of new exploits creeping out.
Hack sessions were "anything goes", we basically progressed from larval stage (script kiddie) to juvenile (perl, java and C based exploits.
No one wrote any new exploits this time around, but a whole new batch of wet-behind-the-ears "hackers" are released from this univeristy every semester.
Of course, the purpose of the class is to create an environment where teams can learn about security by practicing the arts of the "Black Hat". It was surely the most fun I have had yet in the university.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
The first year results are held on an unpatched IIS box.
:o)
For your final exam, there's a security certified server that holds your results. If you can give yourself an A+, you probably deserve it.
Xix.
"Everything is adjustable, provided you have the right tools"
When they're on our side, they're called Freedom Fighters!
In Soviet America the banks rob you!
Writing viruses was actually covered in the assembly language class I took at UMaine circa 1992, in the last chapter of the instructor-written textbook. The rationale in that case was that in informing CS students how easy it is to write viruses, they would no longer see them as technically impressive and therefore not be interested in pursuing their creation. (I just taught my first assembly class this past semester, and use this as an anecdote without actually covering it myself.)
Since I have the text right here, I'll quote it: "...you do not have to be a genius to write a virus... Some people use virus writing to prove their programming skill, but this is poor proof of such skill in my opinion. It's about as much proof of genius as throwing a brick through a window."
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes