Slashdot Mirror
Students Learn To Write Viruses
snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."
Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.
Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?
I think not!
Sweet, another person spamming my boards! And no education isn't an excuse.
I love the smell of burning karma in the morning.
Smells like... victory.
Not sure why the author phrased it that way. It should have read they are not criminals. They very well may be hackers. There is a difference.
Sounds like these students might actually learn something about computer security from this class.
So that's why so many viruses disguise themselves as needed codecs for watching porn videos!
I wish my computer security class in college had been like this. Most of the stuff we did had no creativity involved, nor complexity. We did some password cracking (using john the ripper), sniffing on a network, and a SQL injection. Kind of lame compared to the stuff in TFA.
> Their professor, George Ledin, has showed them how to penetrate even the best antivirus
> software.
That and $.10 will get you a year's supply of fake Viagra.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I was under the impression that all security courses worth their salt taught skills that could potentially be used maliciously. How does one learn how to be a penetration tester? What makes this case different?
Polymorphism is at least an option in most Computer Science courses. Does one really need to sit down and be taught "how to write viruses" specifically? Or can a huge amount of people who write code use their initiative and learn how to write any kind of application?
What companies? Would they want to work there anyway?
Virus writing was part of my assembly & architecture class circa 1990.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
At least when one of these students eventually loses self-restraint, they will be more well-educated than some 13-year-old that randomly Googled for "hacker tools", downloaded and ran the first file they found!
What's interesting to me is the response in the article from the various authorities: the anti-virus companies want him to stop and some have sworn not to hire his students, and the government's apathy about what he's doing.
"The ability to delude yourself may be an important survival tool" - Jane Wagner -
In response to AV vendors reply "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place,"
Normally if something is going to succeed, it evolves to overcome natural or manmade barriers to its existence.
In a way, the fact that the malware and viruses evolve within days of AV updates says that the AV companies are nothing but an annoyance to the writers of the malware.
Why don't we try to get the LAST post in the thread. That way we don't have to look at your comment, and you still have the satisfaction of "winning".
Seriously - no troll. How soon before even teaching this kind of skill, even in the name of security, will require special licensing, background checks, and any other array of "Security Theater" tactics brought forth by the Department of Homeland Security?
Hell, we can't _legally_ export anything with strong encryption but we allow multi-cultural students to learn cyber-terrorism tactics?
$20 says the instructor Mr. Ledin is either carted away to Guantanamo Bay, contract killed by McAfee or Symantec or hired by some euro country with too many consonants in their name...
Never have a philosophy which supports a lack of courage
Cracking the best antivirus software is tough when you consider you have to write a completely new virus to do it. Oh wait that's easy.
God spoke to me.
And what does this have to do with viruses?????
I'd be kind of pissed if I took a computer security class and it was all about social engineering.
but if it was a course on penetration and end user abuse, then it would be completely relevant.
I think teaching the tools of the black arts are useful - you never know when you need to hack into a satellite system and broadcast the evil that it does around the world.
don't you mean actually writing a computer virus that will record keystrokes is extremely easy to do. If anyone graduates from College with a degree in computer science and doesn't know how to do this already they should have their degrees taken away from them.
... if anyone graduates from high school and doesn't know how to speak/write in english, we should revoke their diploma as well.
I agree, partly. But
Formally learning how to engineer such products seems counter productive. Taking apart trojans/viruses seems useful, but this is just asking for trouble. You're taking script kiddies, giving them slightly more knowledge and a bit of confidence. It is fairly apparent that no major security company would hire any of these clowns, why train them to cause trouble?
This teacher is doing nothing wrong in my opinion. In fact, he is doing something that should have already been done by all other computer-security classes in the world. After all, how the heck would you stop something to happen if you don't even know how it happens?
Just like Sun Tzu once said "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
The security companies are just affraid of 2 things... Losing credibility and also being a victim of some black hat student of this teacher.
Use your imagination.
Hey, Slashdot is one of the few places online where people actually talk without a bunch of slang to seem "hip" just look at YouTube comments. Slashdot is much, much, better.
Taxation is legalized theft, no more, no less.
Something about glass houses and stones... English is a proper noun with a capital.
"So long and thanks for all the fish."
Shouldn't AV have a chance at Open Source as much as anything else?
...I codes on Linux, you insensitive clod!
If you are learning SECURITY then the first lesson is that the PEOPLE are the weakest link.
You need to design systems that minimize the human error portion. That means designing systems where it is possible to tell the "good" code from the "bad" code. Where the average user can run an app to identify the "good" code from the "bad" code.
Where the warnings are sufficiently rare that the average user is NOT trained to just click "accept" when one pops up.
Do they target only windows or does their 'education' involve writing viruses for other platforms as well?
Sent from my desktop computer
The original media release by the SSU media relations department is dated in Spring of 2007. Why is this JUST NOW crawling to the top of the news heap?
..but, there is a fairly Darwinian process involved here. While it may be easier, NOW, to go after user behavior, one shouldn't assume that ALL users are going to STAY stupid indefinitely. True, there will be a subset of those who will compensate for a lack of common sense by purchasing software to enable security for them, but as skillful compromising becomes more the norm, the costs of maintaining that "apparent" security will increase. What will likely remain are those of increased skill in regards to security, and those with increasingly deep pockets to pay for the efforts of the skilled. Barring legislation to the contrary, the non-skilled, underfunded folks that dabble occasionally online may very well find themselves denied stable access eventually, or could "opt-out" altogether. My 2p, FWIW.
Hint: it's got to do the penetration part.
"In a windowless underground computer lab in California, young men are busy cooking up viruses" it's IMPOSSIBLE! Viruses need Windows and they won't run in a Windowsless environment.
I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users.
So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?
Where's the inevitable WhatCouldPossiblyGoWrong?
I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users. So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?
Think of it as a locksmith learning how to open locked cars or houses, not so much policemen causing crimes to learn to solve them, as by definition as long as you aren't breaking the law, you're not a criminal.
i had an assignment in a systems class in college to write a virus. half the class was outraged at such a thing the other half thought it was the most awesome idea evar. prof reasoning behind it is if you knew how to exploit a system at such low levels you knew systems programming very well.
my virus was a masterpiece com infector that infected up to 3 .com files and announced each as it was doing it. wheeeee fun!
-- troutsoup.com
i don't see why this is news. We have people make new dangerous stuff all the time... new microwave weapons to fry crowds, bigger, badder guns to blow up people "better" than we already do, etc. We even have people that work with deadly organisms and it's worked out well... ok...not a good example...
but anyway, we try to beat the system in all fields, none react quite so quickly to being broken as software, so it's slightly more dangerous. But it's not like somebody wouldn't have figured out how to get around systems anyway... it's better that the "good guys" figure out first.
711CE2644B55BB071F36457E9783E0EE3A4D9EA0
#include
int main(void){return printf("hello, world\n");}
Offtopic but interesting. Kind of an Ernest Hemingway meets Hunter S. Thompson thing going on.
This guy is teaching cyber-terrorism !!
The SAS could take out any one of these training camps.
Kill everybody there, and be gone before the echo fades.
Thomas Fynan floods a bulletin board with huge messages from fake users.
Ah-hah! Got ya!
Quis custodiet ipsos custodes?
as a two-semester course.
It is held at the technical university in vienna and is called "InetSec"
http://www.iseclab.org/InetSec/
The course has a very high quality and includes practical exercises like sql exploits, writing buffer overflows, trojans and the like.
You even get your own automatically generated "1337 handle" upon subscription to the course, and you can advance from "script kiddy" (not homework assignments aka challenges turned in) to "master guru" (turned in everything + extra work + participated in a CTF) - so actually participating in the course is more fun and play than work ;)
I wonder why that article is news, since there is a CTF (http://www.cs.ucsb.edu/~vigna/CTF/) held every year, where a lot of universities and colleges from everywhere participate - i doubt they don't have similar courses.
Then again, since the viennese guys kick ass at these contests... ;)
...a 19 year old Finnish student has embarked on a project to learn more about his computer by writing a kernel.
No really though, I remember reading about this or something similar years ago.
Palm trees and 8
touche.
Good Lord, there is the idiot KGIII, as usual:
Playing the 'wannabe PhD in English' (& he doesn't have one, mind you)/English teacher/Grammar & Spelling critic!
Hey, fool - Go away, you useless loser.
In case you hadn't noticed, moron - this is a topic on computing, not english class (nor is this person's post you are giving a hard time to his last will & testament, or a legal document).
People, ignore that stooge KGIII - he has nothing better to do, or, the ability to contribute here, constructively.
...since if that's how they're spending their time, they won't be penetrating anything (or anybody) else!
*ducks*
Is Capitalism Good for the Poor?
I couldn't resist. I tried, I even hit preview. In the end I had to do it. Oh, and it is touché I believe. ;)
"So long and thanks for all the fish."
If a person learned Jujitsu, he would effectively be learning ways to kill people among other things. This doesn't equate to actually killing people, or actually beating people up, etc. Maybe you use your martial art to save your girlfriend or do other some good thing someday.
Just because you can possibly use some skill to be evil doesn't mean you shouldn't learn it.
It's like a saying police shouldn't know any martial arts or learn to shoot a gun because they could use the skills to kill someone.
I taught myself x86 assembly and DOS API programming when i was 14, and wrote my own virus just to see if i could. I actually borrowed code from another virus, i think it was called NoFrills, that i had found on my of disks and used parts of it's memory routines. Doing this taught me a great deal about interrupts, routines, and assembly programming. I personally think virus writing should be a pre-requisite in all programming courses, sure viruses can be bad, but the techniques and things you learn (interrupt hooking, allocating memory without using the OS, callbacks, polymorphism, opening and reading files, method vtables(the same thing C++ uses)) can be used in all sorts of other areas. I remember using Thunderbyte Anti-virus to test it, and trying to hide my virus from it's scanners as much as i could :P
I don't need to test my programs.. I have an error correcting modem.
I can't get the é - e+accent aigu to work *sigh*
Windows XP with the U.S. International Keyboard layout is how I do it. It seems to get parsed by the /. system fairly well.
(It would seem some AC took offense to what was intentionally amusing, oh well.)
"So long and thanks for all the fish."
Knowing is half the battle.
CAn'T CompreHend SARcaSm?
I guess the more computer science students know about viruses work they would be better equipped to write software to combat it. On the other hand it's a chicken v egg scenario, they could also develop better viruses too. lol
this is an aweful stupid post.
of course police detectives try to figure out how to re-enact the crime themselves as they are trying to solve it, and very good training (like special ops, drug enforcement) always includes playing the role of the malignant.
of course they are supposed to try their stuff on a "simluated" (as in: non productive, setup only for that task) system.
I know I don't speak for all of us here, but wherever you got this shit, dude... MOAR!
I'm from Newark, NJ, you insensitive clod!
...no really, I am. It's not as bad as people think.
There's basically five wards of the city: Central, North, East, West, and South. The East Ward (more famously known as The Ironbound) is a very nice old school neighborhood. Not always quiet but there aren't any crack dens.
The Central Ward is downtown, where we have a stadium (hosting the NJ Devils, Seton Hall Pirates, and a bunch of concerts) and a lot of good bars and shops.
The other three wards pretty much ARE the run down, people-getting-shot areas. I'm fortunate to leave in the good part of Newark.
Random Thoughts From A Diseased Mind (Not For Dummies)
Since when do only men write code?
This is misguided. Students should be taught how to write viruses that infect other viruses.
I go to sonoma state, Mr. Ledin is an awesome teacher, but it is true that many of the local tech companies have blacklisted the students in the class.
hey, that's a sweet idea. the first one to get a post that makes all other posts irrelevant would win. think we could organize that kind of contest?
Yes. It's called "slashdot"
Debian FTW
Right, but these people are actually pushing crap onto the internet; not just playing in simulator land.
No, no, no... Not more. This is /. after all. I actually read all of it and I did enjoy reading it with all of its insanities but I really don't think that qualifies as a quality post.
"So long and thanks for all the fish."
My guess is that the lab is far from Windowless
-= This is a self-referential sig =-
... on sociological/psychological effects of/to/by computer. I can easily think of at least three major topics:
1) UI design. More general, software and user interaction.
2) Security system. As gp said, human is the weakest link. Try to understand and explain the reasons ( other than stupidity and laziness ), and how to design your system to avoid them.
3) Social network. [ Just a buzz word to attact more students !]
>>In a windowless underground computer lab in California, young men are busy cooking up viruses
If I were teaching this i'd make sure that there were plenty of copies of the different versions of that OS to test on.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
"You can build a better mousetrap" -----Rube Goldberg .....but you'll only be left with mice that are smarter than you.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
I don't believe it is windowless. Having Windows is the best way to perpetuate viruses!
why didn't any of them troll as an anonymous coward?
What I readed, it is bretty much what Hackers does, learn the security weakness and then fix them or even understand them so they can block them.
Those are Hackers, but not Crackers who would then use those... but wait... they DID seem to spam internet forums etc...
Both police and fire training involves a fair bit of *knowing how the enemy thinks*. True, no actual mugging/pyromania is involved, but it comes closer than you think. How do you think they set up the training sessions? Somebody has to play the perp, or set the house on fire, and you can be damn sure they are told exactly how to go about it.
"Good news, everyone!"
P J O'Rourke - is that you?
Fucking brilliant - inventive parody at its best.
Offtopic it may be, but it's pure genius all the same.
Thanks, bro!
One swallow does not a fellatrix make
As a computer security masters candidate, I agree with the idea of teaching the "white hats" how to think like the "black hats" and to have the same sort of skill sets.
How else are we supposed to learn how to protect against crackers if we dont know what they actually do. How are we supposed to do pen testing if we cant crack systems ourselves.
I learnt how to crack in a secure lab with no connection to the rest of the internet once we had setup the computers. We got advised before we even started learning how to pingflood a computer that if we used any of the skills we learnt outside of the room while we were still studying, we would be handed over to the federal police in Australia.
*** I had a
Too, many, commas, to, parse, intelligibly.
Please, learn to punctuate your nonsensical ejaculations so that they make more, rather than no, sense.
One swallow does not a fellatrix make
Now you made me go get all nostalgic about the Portuguese festival. That was one hell of a time. Though, unfortunately, I lived in one of those "other" wards.
Any competent technologist can write a destructive program but how many can write something that really changes the world?
you must be new here
Much like most of today's software!
They've been doing that in my University's IT Security Labs for the last 4 years.
About 10 computer's on an isolated network and portable memory is banned.
I don't know too much about it but as far as I know it's mostly used for cryptanalysis in a simulated live environment.
I wonder why some of the businesses quoted by TFA are so vehemently emotional about their opposition? "vowed never to hire graduates of his class, yadda, yadda."
I could understand bland statements about not thinking that the class was an especially good idea, or believing that such a class does not provide especially useful skills; but the position given is something else entirely. Now, it could just be some journo-monkey spicing it up a bit, because that is easier than actually knowing something about the subject, or attempting to inform the reader; but it is also possible that they reported accurately. If so, the question stands.
It is particularly odd because one would expect antivirus companies to like anything that contributes to a sense of fear and insecurity. So long as the world is a terrifying place, they just need to seem more secure than their competitors in order to cash in. Why would this class upset them? It makes me wonder if, when talking off the record, they are letting sheer vanity and anger at being made to look foolish get the better of them.
thats how I'm doing it too... ' + e.
'mundane coprophilia'
+1 Broad Mind to you !
I'm taking this class next semester, it's called Intro to Malicious Code. I didn't think it was that uncommon.
Of course, my college is known as one of the best schools in the nation for Computer Security. My Masters Thesis is actually being presented at the Virus Bulletin Conference this year (If I ever finish the damn thing). I'd tell you what it was, but I'd rather the server not suffer the consequences.
Think of the Ducks!
oh, so you have to make it a white thing? Me and my crackers goin to bust a chip on your BIOSch.
Comment removed based on user account deletion
Defense against the dark arts? Harry Potter? Anyone?
If you don't know what you're doing, you can't make mistakes.
Comment removed based on user account deletion
Where's the part about how FBI students/recruits get to confiscate their equipment for an undetermined amount of time, and interrogate them for illicit trading of digital feline (kitty) pornography "materials"?
Sounds like a script for a good movie, nah?
If I am an anti-virus company looking for developers, why would I possibly turn away programmers who took a course on virus development? It was a sanctioned computer course at a college or university, it would seem to me that these would be *exactly* the people you want. They should have a better understanding of how a virus developer thinks and thus have a head start on combating future viruses. Yes, it may be that some took that course because they were interested in writing malware, but many will have taken it because they want to know how to fight it. I think only a moronic close-minded company would turn these people away just because they took a course.
Its like the Dept of Justice not hiring people who took a course on criminology because they might cause a crime.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
I do think that teaching how to attack helps student learn how to fight the attack more efficiently. Would you take your car to a mechanic that didn't know how to drive?
PYROPHOR
comp sci people should know the basics of virus and malware.
Five years ago, back in 2003, the University of Calgary offered a similar course. I wonder if we'll see the same reactions and tired old positions as last time.
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
Are you serious? Have you read the article? There's a dedicated (and closed) network for virus production. The switch doesn't get to bump uglies with the internet.
In a very elegant manner, precisely why I've switched all of my home boxen to Linux. The end user's experience does not matter to the AV companies; it matters only tangentially to Microsoft. What matters most, is money. That is, their profitability, not mine.
If I paid for antivirus software, I would expect it to protect me from all viruses, not merely the ones trying to rip off major corporations. You need to understand the perspective of the typical Windows user:
A few years ago, I worked as a Linux developer. Since then, I've switched jobs and am now using a Windows box. Two things occur to me:
So, when I have the choice, and my time is important - that is, when it means money - I use Linux. Apparently my time isn't considered important to the AV companies. They think I can just sit on my hands and do nothing while a file is scanned. What happens is that these little annoyances add up, and I end up working overtime because some AV company is all about profit, not productivity.
The society for a thought-free internet welcomes you.
Not that it matters much but alt + 0233 = é as well. I don't think anyone will care nor really notice.
If you're really interested this is the first site that came up (it isn't as if I remembered that number) in a search:
http://www.coloryourprofyle.com/phade/alt.html
"So long and thanks for all the fish."
Oh, I'm sure they will get hired, no worries. But no AV company would readily admit they do. Mostly because of the other AV companies. It's a groupthink-thing. You don't hire him because all your peers think he's a loose cannon, but at the same time you want him, hire him and keep him under wraps.
The biggest fear any AV researcher faces is being accused of actively writing and/or spreading malware. You are dead if you do. You are highly dependent on being part of the network to be efficient at finding new threats. No AV researcher can afford a global detection network. Well, maybe MS could and eventually they'll have to... different story. But what it comes down to is that you depend on being on good terms with your peers.
Allegations come quickly when some minor backwater player suddenly starts finding new threats faster than anyone else. It gets worse when they find a way to remove infections that even big guns like Kaspersky have troubles with. Having someone in your team who is known as a malware author spells death for you, then.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's secret ewing! Thats what he was up to. Sorry, SSU in-joke. Go Cossacks!
if you read the first paragraph in the "movie announcer voice"... its far more fun. Sorry, just had to pass it along. (But it does sound like the opening credits to a summber block buster.)
Joe Investor
The kurons might like it. Fits right in with the crazy shit there.
Post tenebras lux. Post fenestras tux.
thanks. I guess that means i could use & # 2 3 3 ; too...or & e a c u t e ;
I went through the training for Volunteer Firefighters. You learn all about setting fires. I know guys who went to various academies. You learn all about forcibly taking things away from people. Firefighters study arson. Cops study crime. You absolutely want them to. There was never a saint who didn't perfectly understand sin.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Ledin was my first prof on my first CS class on my first day of college. He's an awesome guy. We keep in touch, and I just had lunch with him the other day when he was out my way, and he invited me to speak at an SSU CS colloquium in September. Go Prof. Ledin!!!
I think the professor's time would be better spent communicating with the AV companies, rather than helping breed the next generation of script kiddies. Teaching college students to break AV software seems counter-productive to [the industries attempts to make things better. I am not saying the security through obscurity is better, but I think it would be helpful to determine the color of the student's hat before giving away the keys to the kingdom.
If you get to do hands on research, Where do I sign up for the lab on Drug Abuse? I want to learn to think like a Drug User. Do they teach techniques?
Well, there's antivirus companies and there's antivirus companies. Symantec and their ilk will I'm sure bluster on about how they'd NEVER hire these types, then will wonder why they just kind seem to find good employees. Kaspersky, AVG, etc., I'm sure they'd hire them.