Slashdot Mirror
Students Learn To Write Viruses
snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."
Not sure why the author phrased it that way. It should have read they are not criminals. They very well may be hackers. There is a difference.
Sounds like these students might actually learn something about computer security from this class.
I wish my computer security class in college had been like this. Most of the stuff we did had no creativity involved, nor complexity. We did some password cracking (using john the ripper), sniffing on a network, and a SQL injection. Kind of lame compared to the stuff in TFA.
I was under the impression that all security courses worth their salt taught skills that could potentially be used maliciously. How does one learn how to be a penetration tester? What makes this case different?
Polymorphism is at least an option in most Computer Science courses. Does one really need to sit down and be taught "how to write viruses" specifically? Or can a huge amount of people who write code use their initiative and learn how to write any kind of application?
What companies? Would they want to work there anyway?
In response to AV vendors reply "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place,"
Normally if something is going to succeed, it evolves to overcome natural or manmade barriers to its existence.
In a way, the fact that the malware and viruses evolve within days of AV updates says that the AV companies are nothing but an annoyance to the writers of the malware.
Seriously - no troll. How soon before even teaching this kind of skill, even in the name of security, will require special licensing, background checks, and any other array of "Security Theater" tactics brought forth by the Department of Homeland Security?
Hell, we can't _legally_ export anything with strong encryption but we allow multi-cultural students to learn cyber-terrorism tactics?
$20 says the instructor Mr. Ledin is either carted away to Guantanamo Bay, contract killed by McAfee or Symantec or hired by some euro country with too many consonants in their name...
Never have a philosophy which supports a lack of courage
In case that wasn't a rhetorical question, the answer is:
Because it is a computer class (probably part of a CompSci degree), not sociology/psychology. While targeting the user is a perfectly good way to go about breaking in to something, that topic area isn't very practical for computer science. I think the point of TFA is that the class teaches a lot more than "this is how to kill McAfee, now go run amok!" It is a good opportunity to think outside the box, and targeting the user is very much inside the box, and very low tech.
I'd be kind of pissed if I took a computer security class and it was all about social engineering.
I'd be kind of pissed if I took a computer security class and it was all about social engineering.
but if it was a course on penetration and end user abuse, then it would be completely relevant.
I think teaching the tools of the black arts are useful - you never know when you need to hack into a satellite system and broadcast the evil that it does around the world.
If you are learning SECURITY then the first lesson is that the PEOPLE are the weakest link.
You need to design systems that minimize the human error portion. That means designing systems where it is possible to tell the "good" code from the "bad" code. Where the average user can run an app to identify the "good" code from the "bad" code.
Where the warnings are sufficiently rare that the average user is NOT trained to just click "accept" when one pops up.
Because breaking into things and creating stealthy shit is the greatest problem solving skill you will ever find.
By nature, to break into a computer, you have to force it to do something it (software, sometimes hardware i.e. Intel errata) was specifically not designed to do. Usually this amounts to something not obvious to 100% of the rest of the world for some strange reason being obvious to you. The more experience you have warping completely tame and working interfaces in perverse ways due to minor quirks, the easier this becomes.
Load modules and shared objects aren't designed to be altered like that; and in this case you have a system designed specifically to catch and prevent you from doing what you're doing. This is, again, forcing something into a position it's not designed to operate in to achieve a predictable result.
Carmack's Reverse, Duff's Device, and even Edison's light bulb worked from these same principles; remember, by its very nature you cannot have light without fire.
Support my political activism on Patreon.
targeting the user is very much inside the box, and very low tech.
Well, yes and no. This is a computer class, so sure, let's just study what you can do at the keyboard, but if you are talking security, then the user is the weakest link. The hackers that have done the most damage and made the most money have all used social engineering at one point or another. And why does it work? It works precisely because it is outside the box - the computer box. Programmers and security experts can do all they can inside the box, but their systems are not secure if an idiot holds the key or gives out passwords over the phone.
So the most secure systems are not user dependent, but to understand how to avoid depending on the user and how to avoid creating secrets to guard, you will need insight into the social engineer-ability of a system.
I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users. So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?
Think of it as a locksmith learning how to open locked cars or houses, not so much policemen causing crimes to learn to solve them, as by definition as long as you aren't breaking the law, you're not a criminal.
Offtopic but interesting. Kind of an Ernest Hemingway meets Hunter S. Thompson thing going on.
I'd be kind of pissed if I took a computer security class and it was all about social engineering.
Unfortunately for all of us, a technical attack is usually fixable by the next version of security software or the OS, while a psychological attack will continue working effectively as long as computers are operated by people. If the objective is to benefit from an exploit, as opposed to obliterating a system, it is nearly always more profitable to deceive the victim into believing that they are still in control of their system as well. I believe that a good attack would incorporate a high level of technical expertise, coupled with a social engineering deception. There is after all a saying,
There is no patch for human stupidity.
I think anyone taking a computer science class that wants to disregard the human element of computing is not likely to be the most successful in the IT field.
In the old days, the author of a high-speed worm would have wanted to avoid user interaction, because human beings slow things down. Slammer doubled the number of infections every 8.5 seconds when it took off: hard to do that when you have to wait for a user to figure out how to turn off their antivirus software.
Someone who is targeting corporate systems today, for espionage or to recruit well-connected botnet hosts, is attacking an environment where the users may not be able to turn off their antivirus software.
A pure social engineering attack, with no code obfuscation, would have to work in two stages. The actual payload would have to be delivered after the antivirus got turned off, not before, so there would have to be a first stage containing the UI to persuade the user to disable anti-virus. Hardly impossible, but a nuisance.
Those are a few of the reasons, though your point stands unchallenged: humans are the weakest link, and security people who develop tunnel vision about technical protections and countermeasures are crippling themselves.
You're defending the wrong point. I never said that students shouldn't learn to write viruses because it's evil or dangerous. I said students shouldn't learn to write viruses because it is a poor way to learn information security. I really don't care if they are now "a threat" because of taking this class. The last person I'd be scared of is a student who decided to take a class on virus writing. The success stories in that industry are all self-starters. However, the 14 class hours and countless hours spent on homework and projects have been 100% wasted. The students now have an appreciation for how easy it is to be the attacker... big deal. If they didn't already read that and believe it, they are going to fail at information security. If every little point has to be driven home with 50 hours of practice, then they have heads made out of rocks.
What is the expected takeaway from this class? Are the students supposed to hand threat model all systems and test their defenses with home-made viruses? Any half-baked defense scheme will stand up to an attack crafted by the defender. Just look at Kryptonite bicycle locks -- years of research and development defeated by a BIC pen. The lesson is that nothing is even reasonably secure until it has been exposed to many thousands of attack attempts by many thousands of deviant minds. This class will only serve to delude some of the students into thinking they are penetration testing when they are actually just randomly poking at their defenses.
This is misguided. Students should be taught how to write viruses that infect other viruses.
I don't believe the stuff they're cooking up could be any worse than the other "5000" viruses that come out each week now. All I know is this class beats the heck out of the cybersecurity class I took in college. It seemed like all we did was read excerpts from Kevin Mitnick.
If I am an anti-virus company looking for developers, why would I possibly turn away programmers who took a course on virus development? It was a sanctioned computer course at a college or university, it would seem to me that these would be *exactly* the people you want. They should have a better understanding of how a virus developer thinks and thus have a head start on combating future viruses. Yes, it may be that some took that course because they were interested in writing malware, but many will have taken it because they want to know how to fight it. I think only a moronic close-minded company would turn these people away just because they took a course.
Its like the Dept of Justice not hiring people who took a course on criminology because they might cause a crime.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
In a very elegant manner, precisely why I've switched all of my home boxen to Linux. The end user's experience does not matter to the AV companies; it matters only tangentially to Microsoft. What matters most, is money. That is, their profitability, not mine.
If I paid for antivirus software, I would expect it to protect me from all viruses, not merely the ones trying to rip off major corporations. You need to understand the perspective of the typical Windows user:
A few years ago, I worked as a Linux developer. Since then, I've switched jobs and am now using a Windows box. Two things occur to me:
So, when I have the choice, and my time is important - that is, when it means money - I use Linux. Apparently my time isn't considered important to the AV companies. They think I can just sit on my hands and do nothing while a file is scanned. What happens is that these little annoyances add up, and I end up working overtime because some AV company is all about profit, not productivity.
The society for a thought-free internet welcomes you.