Students Learn To Write Viruses

snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."

Penetrate even the best antivirus software?

[ohcrapitssteve]

Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.

Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?

Old News

[dcollins]

Virus writing was part of my assembly & architecture class circa 1990.

Re:Old News

[devonbowen]

Back when the Morris worm hit in '88, I was teaching assembly language. We'd spent the whole day on the worm (making sure it hadn't planted or destroyed any files on our machines) and I didn't have a lecture prepared by class time. So I told them I'd explain the worm instead but that they could leave if they wanted since it wouldn't be on the exam. Our topic the week before was how the stack was changed during function calls so they already had the background. No one left and I got the pleasure of watching faces light up around the room as it dawned on people where my explanation was going. Ah, those were the days...

Devon

Re:So what?

[PC+and+Sony+Fanboy]

What companies? Would they want to work there anyway?

Spot on! I mean, why work for a security company, when you can work for a government? Isn't that what this guy is going to do in new zealand?

and ... failing a government contract, why not just 'make' your own money using your newly found l33t haxx0r skillz from school?

Re:"We've Changed this Game"

I used to write viruses. Evading anti-virus software was sort of like the testing//tweaking phase of software development -- "oops, mcafee flagged it as suspicious, let me modify this line of code here, this one here... ahah, fixed".

The truth is, anti-virus technology hasn't significantly changed since the DOS days. It's all about heuristics, pattern-matching, and behavior-preventing. It's trivial to evade these technologies.

Re:Hostile Authorities

[Darkness404]

Yes, but why are they even caring? I mean, today I picked up a copy of 2600 from a local bookstore, in there I learned how to Arp poisoning, obtain malware via a honeypot, and all kinds of info that is similar to this. Yet I don't see the FBI raiding 2600's publisher burning all copies of the magazine.

You can get cracking techniques from loads of places, this guy's teachings is old news.

Is there, or should there be a line to education?

[grilled-cheese]

I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users.

So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?

Re:Oh Joy more spam

[NovaHorizon]

Do the kids have flash drives? because that would be like a bio hazard suit with pockets.

What about martial arts..

[Safiire+Arrowny]

If a person learned Jujitsu, he would effectively be learning ways to kill people among other things. This doesn't equate to actually killing people, or actually beating people up, etc. Maybe you use your martial art to save your girlfriend or do other some good thing someday.

Just because you can possibly use some skill to be evil doesn't mean you shouldn't learn it.

It's like a saying police shouldn't know any martial arts or learn to shoot a gun because they could use the skills to kill someone.

Re:What about martial arts..

[jhfry]

students shouldn't learn to write viruses because it is a poor way to learn information security

I don't agree. It would be a poor way if it was the only way you learned, however it's acutally an excellent lesson for students who would otherwise fail to recognize just how easy it is to do and just how unprotected they are by software AV solutions.

Sometimes the best way to teach something is to immerse the student in it... and even better is to show them the other side of things.

Your statement is like saying that taking classes in breaking software (unpredictable behaviour) is a poor way to learn to test software. The more intimately you understand the threats, the better you can protect against them.

Besides... a class like this will breed a bunch of new Linux users cuz they will realize how easy it is for their windows machines to be pwned.

Should be mandatory

[Spikeles]

I taught myself x86 assembly and DOS API programming when i was 14, and wrote my own virus just to see if i could. I actually borrowed code from another virus, i think it was called NoFrills, that i had found on my of disks and used parts of it's memory routines. Doing this taught me a great deal about interrupts, routines, and assembly programming. I personally think virus writing should be a pre-requisite in all programming courses, sure viruses can be bad, but the techniques and things you learn (interrupt hooking, allocating memory without using the OS, callbacks, polymorphism, opening and reading files, method vtables(the same thing C++ uses)) can be used in all sorts of other areas. I remember using Thunderbyte Anti-virus to test it, and trying to hide my virus from it's scanners as much as i could :P

Re:They need BOTH!

[TheLink]

I've proposed this:

https://bugs.launchpad.net/ubuntu/+bug/156693

3rd party code should say what it is and what sandbox template it requires to run.

If the requested sandbox is in line with what the code claims to be, and "what it is" is what the user wants, then the user can decide to allow it.

The O/S then sandboxes the code according to those privileges.

Expecting users or software to identify good code from bad code is similar to expecting them to solve the "Halting Problem".

With my suggestion, it is a lot easier to train users to understand that a "Paris Hilton Video" which requires "Full System Privileges" is likely to be malware.

Whereas a "Cute Game" that requires "Guest Game Privileges" should be OK and since the O/S sandboxes it, there's little the "Cute Game" can do - it should not even be able to access the user's Documents (which unfortunately is possible in most Desktop O/Ses today - almost anything the user launches can access the user's documents, microphone, webcam etc).

Re:Social Engineering VS Computer Sci

[Kingrames]

Also, keep in mind it looks better on your resume than a fine arts degree.

Sonoma State security class

I go to sonoma state, Mr. Ledin is an awesome teacher, but it is true that many of the local tech companies have blacklisted the students in the class.

Re:Good

[Opportunist]

You're right when you say that the ploy used 3 months ago is worthless today. Teaching someone to abuse the LSASS or RPC exploit used by Sasser and Lovsan, respectively, is about as useful as knowing how to code with punchcards. It was highly useful in the ol' days of yore, but when you tell someone in the field with pride that you can do either, they'll at best snicker at you.

There are, though, techniques that are still useful because they cannot be patched. Mostly because they are working as intended. It is still possible to run malware inside another process, that's a wanted behaviour. It is still possible to create low level malware drivers, for the same reason. So teaching those does make a lot of sense.

I also can't agree with the firefighter analogy. It's more like teaching a designer for locks how lockpicking works. To design the better lock, you have to know how a burglar tries to defeat them. You have to know what ways exist to get malware into the system to know which points you have to harden to raise that bar for the invaders.

I wouldn't concentrate on any specifics, though. That would be more like handing out fishes instead of teaching to fish. Specific information is outdated the moment you learn it, because it was current when your teacher learned about it, and 3 months is a long, long time in that field. What was state of the art a year ago isn't too interesting anymore today. To make the teaching efficient, you have to steer clear of anything too specific for a given attack. The theory, the basic idea behind an attack, is more important than any practical application. Teach where systems are vulnerable, and what vulnerabilities cannot be closed easily because the system depends on them. Then start thinking of ways how to seal them as good as possible.