Slashdot Mirror
Canadian University to Begin Training Hackers
torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
I just read a good article on this too. Apparently, if we train hackers at a young age, we can control them, and get much more work done. Read the article at http://www.cs.berkley.edu/~bh/hackers.html
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
I'm sure they will be ACCUSED of it, but I think everyone here sees the real reason. How can you know how to secure your systems if you don't know what the virus writers are doing?
And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.
Crackers, not hackers.
I understand this is a losing battle but lets not get it wrong on slashdot.
Siggy Say, Siggy Do
will this be offered as an online course?
Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
Oh! Oh! I Know! Is it...terrorists?
Triv
Skills:
Comment:
While I realize the above skills may not be entirely useful for the position described, I have noted that you do have an internet connection to your primary server via IP address 66.35.250.150. Would you like me to tell you your root password during an interview, or should I be ready work at 8:30am tomorrow?
Well, I'm quite proud to be an (adopted) Canadian. I see this as just another way for us to poke the Nazi Americans...what with SARs, mad cow, and our threat to decriminalize pot...why shouldn't we just push the envelope a little more? ;-)
We also maintain a threatening lead in Zamboni technology. [This borrowed from Canadian Bacon].
After all, by studying how viruses are made, you can better understand them and thus make better anti-virus software. The kids going here are not going because they want to learn to be L33T cyber hackers or whatever, but knowing the tools of the trade (white and black hat) will help them in the computer programing/protection field.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
where did they get the figure of $1.6-trillion of damage done by viruses
I was out sick for 2 weeks a few months ago with a virus so that explains a lot but I'm dammed if I know where they got the other half trillion from.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?
There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)
The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.
Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.
Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.
The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.
I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.
Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.
I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.
Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup
Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?
Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.
Disgruntled Professor in said subject goes insane (but his inherent humanity remains for later purposes in the script, naturally) and writes a virus that will 'bring down the planets computing power'. Former student and star of the class is brought in (obviously from somewhere and time at which they for some reason cannot face computers (possibilities: severe RSI, Epilepsy set off miraculously by 65-85Hz screens, Blindness...) to defeat the mad professor, before the final showdown with badly executed profundities.
And all the computer scenes have to use a bizarre and unique 3D styled UI, that looks wholly unusable, and slightly, if not completely frustrating.
Geee, I can't wait *lays on the fake exuberance*. These things always happen when something becomes more mainstream.
I recommend strongly that anyone in a role like mine take some time to study viruses, exploits, rootkits, and other pieces of hostile code. These are a basic part of the security environment in the field. The more you understand the crap that the Net's rejects and crackheads are throwing at you, the better a job you can do.
Here's just one example of what we can learn from viruses; a bit of an older example, so I'm not doing too much of your work for you:
Let's say your client is considering a bonehead move -- like, say, deploying Microsoft Outlook enterprise-wide. Any security nerd can say "duh, Outlook sux0r, it's full of vulnerabilities, that's why it spreads viruses." However, if you have read the source code of the LoveLetter and Melissa viruses, you will realize (and can explain to your client) that these viruses do not exploit vulnerabilities at all -- at least, not in the sense of buffer overflows and other attacks which target bugs in software. These viruses don't crack anything -- they use perfectly ordinary, documented API calls. It isn't holes in the Windows Mail API that make it a virus breeding ground -- it's just its built-in, designed, intended functionality. That's why these viruses can still spread after years of bug fixes: their critical paths do not rely on bugs at all.
What do we learn from these viruses? Security is not about patching bugs, or having bug-free software. It is about correctly modeling the trust relationships people have with each other regarding their computer resources, in software. The Windows MAPI's design implies an assumption that people want to entrust word-processing documents with the power to send hundreds of emails. That's obviously wrong -- and that, not any bug, is what must be explained to convince someone that Microsoft's mail software is a bad security choice.
There are many more lessons to be learned by understanding hostile code. There are lessons about user interface design: many email viruses depend on getting the user to take some action (opening a message, running a macro, etc.) which unintentionally grants the virus trust and privilege (even the privilege to run code) that it should not have. To design secure systems for users, we must have user interfaces which do not promote such deception. There are lessons about system monitoring and the habits of sysadmins: Unix rootkits, which alter the system to conceal the tracks of an attacker, show just how easily a too-shallow maintenance or log-checking routine can be deceived. There are many lessons.
Get yourself some virus source code. Google will help. Read rootkit code, and the analyses thereof which researchers on SecurityFocus and other sites have published. Understand these attacks, and you will understand the systems they target better than you do now.
The first year results are held on an unpatched IIS box.
:o)
For your final exam, there's a security certified server that holds your results. If you can give yourself an A+, you probably deserve it.
Xix.
"Everything is adjustable, provided you have the right tools"
When they're on our side, they're called Freedom Fighters!
In Soviet America the banks rob you!
Writing viruses was actually covered in the assembly language class I took at UMaine circa 1992, in the last chapter of the instructor-written textbook. The rationale in that case was that in informing CS students how easy it is to write viruses, they would no longer see them as technically impressive and therefore not be interested in pursuing their creation. (I just taught my first assembly class this past semester, and use this as an anecdote without actually covering it myself.)
Since I have the text right here, I'll quote it: "...you do not have to be a genius to write a virus... Some people use virus writing to prove their programming skill, but this is poor proof of such skill in my opinion. It's about as much proof of genius as throwing a brick through a window."
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
At the time, U of C didn't teach C either. Students were expected to be able to learn "C" on their own by third year, since they'd already been exposed to three or four different programming languages from different spheres. Once you were in third year, you could, for the most part, do your projects in whatever language you wanted, as long as the TA knew the language. Most students did their projects in C.
As well, the first year courses almost always used languages that students were unlikely to have encountered ever before. This helped level the field between the people who were "xc3113nt C h4x0rz" and everyone else. Everyone started from first principles in functional programming.
By the time I'd hit third year, I'd had courses where the language of choice were Pascal and Modula/2 from the "Von Newman" sphere, ML from the functional sphere, and PDP-11 assembly (was being replaced with SPARC assembly at the time) from the low level sphere.)
By the time I'd graduated, I'd added courses that required languages based on category theory (Charity) and one based on primitive recursion (it only had zero(), succ() and recurse(x,y) functions and you had to define the whole rest of the language yourself based on those.) If I'd taken different courses, I would have been exposed to Lisp, Prolog, SQL, etc.
The theory behind all this was they wanted to teach you different ways to think about problems, not just how to pound in a solution in C. People who just wanted to learn to code in C, be able to say they were a "programmer" and go on to a career went to SAIT or DeVry.
Pick any academic program and you'll find people who think something is "missing" or can be "better." That's why they evolve over time. The main flaw I found with the U of C program (IMHO) was that the only course that really required you to deal with a large project (CPSC 510, full year, write a compiler from scratch) wasn't a mandatory course.
But I'm glad I got my degree from U of C. And I'm not crippled in my ability to work in C/C++ because I never took a half-year course in it.