Slashdot Mirror
Students Learn To Write Viruses
snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."
poop lol is the best thing in th world because i'm the pirst ferson to comment
Lulzaplenty!
no thanks
first post is mine
I just got back from a once-in-a-lifetime trip to old Havana. It's no secret that the Castro regime is desperate for hard currency (especially U.S. dollars). I'd also heard that the Cuban Ministry of Tourism was pulling out all the stops in a last-ditch effort to attract white upper class U.S. males (translation: disposable income) who were seeking nontraditional vacations.
Fellow members of the above target group, stop and think a bit about what you'd like in a no holds barred tropical vacation:
1) Smooth, aged in wood, dark rums for around $2 a bottle?
2) Absolutely stunning senoritas who do anything you want for $100 a night, or if you're on a budget, a first-class blow job for $20, no extra charge for a facial cumshot?
3) Primo Columbia flake cocaine at $500 per oz? This is absolutely fresh unstepped-on high quality nose candy -minimum 95% purity. WARNING: Do not, under any circumstances, try to leave Cuba with even a trace of this shit on you.
4) A wild deep sea fishing expedition where you fish with hand grenades and belt fed
machine guns?
All this and more is available on what the Ministry of Tourism has dubbed their "Silver
Bullet Package." The package consists basically of prepaid hotel accommodation and prepaid meals. The hotel was clean, comfortable, but a little run down. Even the best hotels in old Havana seem a little seedy by American standards, but the staff go out of their way to make sure that the package members are pampered. The meals were a very pleasant surprise-unlimited quantities of fresh seafood, fruits, and fresh bread - but be warned that lunch and dinner are strictly BYOB. The hotel provides setups and mixers of course. This could have been a problem except that black marketers hawking good rum are numerous in the neighborhoods around the hotels. A small tip to a bell hop will put you face to face with a fellow selling hootch out of a suitcase. The bottles are unlabeled, but the dark rums I tasted put Myers Dark, Mount Gay, and Bacardi Dark to shame for about $2 a bottle!
As you might guess the day to day routine involves lots of eating, drinking, snorting,
dozing, and loitering. Taxi rides to the foreign beaches are fairly easy to find but I found the beaches strangely boring - most of the USDA Grade A pussy centers around the hotels and doesn't really get strutting 'till early evening. The ritual is as follows: Interested gents should sit out on their balconies an hour or so before sunset and look for young girls sauntering down the boulevard. The "working girls" are hoping to make eye contact. If you see a senorita you particularly like, wait 'till you catch her eye and give the universal "come on up" hand signal. The more seasoned pros will find your hotel room from your balcony's location. Sometimes it pays to run down to the lobby to meet her but it's usually not necessary. My favorite was a young slender brunette who called herself Maria. She claimed to be 14 (but was more likely 16 or 17), was light-skinned and a dead ringer for Paula Abdul. I nearly ejaculated when I heard her prices - $100 U.S. for the night, any sex I wanted, or if I was in a hurry $20 for a blowjob. I've never been comfortable with long term relationships, so I was leaning towards the latter option. I asked her if she was an expert at oral sex. She must have read my mind -she swore she gave the best blowjob in all Havana, then smiled, and put her arms around my neck and added: "If I like your cock you can cum all over my face." God, that settled it. I slipped her a $20 bill and she put a pillow on the floor to kneel on. This wasn't one of those midtown Manhattan "hurry up and come so I can cook up another shot" blowjobs, no siree. This was more like "Honey, I really really love my new mink coat. " Full eye contact, lots of licking and teasing. She must have liked my cock, because when I was ready to shoot she
lifted her head back, positioned the head of my cock just over her chin and jerked me off - my favorite way to cum. She got up smiling and asked "You like?". When
Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.
Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?
I think not!
Sweet, another person spamming my boards! And no education isn't an excuse.
Not sure why the author phrased it that way. It should have read they are not criminals. They very well may be hackers. There is a difference.
Sounds like these students might actually learn something about computer security from this class.
So that's why so many viruses disguise themselves as needed codecs for watching porn videos!
I wish my computer security class in college had been like this. Most of the stuff we did had no creativity involved, nor complexity. We did some password cracking (using john the ripper), sniffing on a network, and a SQL injection. Kind of lame compared to the stuff in TFA.
> Their professor, George Ledin, has showed them how to penetrate even the best antivirus
> software.
That and $.10 will get you a year's supply of fake Viagra.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I want to learn this stuff
I was under the impression that all security courses worth their salt taught skills that could potentially be used maliciously. How does one learn how to be a penetration tester? What makes this case different?
Polymorphism is at least an option in most Computer Science courses. Does one really need to sit down and be taught "how to write viruses" specifically? Or can a huge amount of people who write code use their initiative and learn how to write any kind of application?
What companies? Would they want to work there anyway?
Virus writing was part of my assembly & architecture class circa 1990.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
At least when one of these students eventually loses self-restraint, they will be more well-educated than some 13-year-old that randomly Googled for "hacker tools", downloaded and ran the first file they found!
What's interesting to me is the response in the article from the various authorities: the anti-virus companies want him to stop and some have sworn not to hire his students, and the government's apathy about what he's doing.
"The ability to delude yourself may be an important survival tool" - Jane Wagner -
In response to AV vendors reply "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place,"
Normally if something is going to succeed, it evolves to overcome natural or manmade barriers to its existence.
In a way, the fact that the malware and viruses evolve within days of AV updates says that the AV companies are nothing but an annoyance to the writers of the malware.
Seriously - no troll. How soon before even teaching this kind of skill, even in the name of security, will require special licensing, background checks, and any other array of "Security Theater" tactics brought forth by the Department of Homeland Security?
Hell, we can't _legally_ export anything with strong encryption but we allow multi-cultural students to learn cyber-terrorism tactics?
$20 says the instructor Mr. Ledin is either carted away to Guantanamo Bay, contract killed by McAfee or Symantec or hired by some euro country with too many consonants in their name...
Never have a philosophy which supports a lack of courage
We're Doomed!!!
actually writing a computer virus that will track keystrokes is extremely easy to do. If anyone graduates from College with a degree in computer science and doesn't know how to do this already they should have there degrees taken away from them.
Cracking the best antivirus software is tough when you consider you have to write a completely new virus to do it. Oh wait that's easy.
God spoke to me.
I'd be kind of pissed if I took a computer security class and it was all about social engineering.
but if it was a course on penetration and end user abuse, then it would be completely relevant.
I think teaching the tools of the black arts are useful - you never know when you need to hack into a satellite system and broadcast the evil that it does around the world.
Formally learning how to engineer such products seems counter productive. Taking apart trojans/viruses seems useful, but this is just asking for trouble. You're taking script kiddies, giving them slightly more knowledge and a bit of confidence. It is fairly apparent that no major security company would hire any of these clowns, why train them to cause trouble?
This teacher is doing nothing wrong in my opinion. In fact, he is doing something that should have already been done by all other computer-security classes in the world. After all, how the heck would you stop something to happen if you don't even know how it happens?
Just like Sun Tzu once said "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
The security companies are just affraid of 2 things... Losing credibility and also being a victim of some black hat student of this teacher.
Shouldn't AV have a chance at Open Source as much as anything else?
...I codes on Linux, you insensitive clod!
If you are learning SECURITY then the first lesson is that the PEOPLE are the weakest link.
You need to design systems that minimize the human error portion. That means designing systems where it is possible to tell the "good" code from the "bad" code. Where the average user can run an app to identify the "good" code from the "bad" code.
Where the warnings are sufficiently rare that the average user is NOT trained to just click "accept" when one pops up.
Do they target only windows or does their 'education' involve writing viruses for other platforms as well?
Sent from my desktop computer
The original media release by the SSU media relations department is dated in Spring of 2007. Why is this JUST NOW crawling to the top of the news heap?
..but, there is a fairly Darwinian process involved here. While it may be easier, NOW, to go after user behavior, one shouldn't assume that ALL users are going to STAY stupid indefinitely. True, there will be a subset of those who will compensate for a lack of common sense by purchasing software to enable security for them, but as skillful compromising becomes more the norm, the costs of maintaining that "apparent" security will increase. What will likely remain are those of increased skill in regards to security, and those with increasingly deep pockets to pay for the efforts of the skilled. Barring legislation to the contrary, the non-skilled, underfunded folks that dabble occasionally online may very well find themselves denied stable access eventually, or could "opt-out" altogether. My 2p, FWIW.
"In a windowless underground computer lab in California, young men are busy cooking up viruses" it's IMPOSSIBLE! Viruses need Windows and they won't run in a Windowsless environment.
I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users.
So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?
Where's the inevitable WhatCouldPossiblyGoWrong?
I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users. So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?
Think of it as a locksmith learning how to open locked cars or houses, not so much policemen causing crimes to learn to solve them, as by definition as long as you aren't breaking the law, you're not a criminal.
i had an assignment in a systems class in college to write a virus. half the class was outraged at such a thing the other half thought it was the most awesome idea evar. prof reasoning behind it is if you knew how to exploit a system at such low levels you knew systems programming very well.
my virus was a masterpiece com infector that infected up to 3 .com files and announced each as it was doing it. wheeeee fun!
-- troutsoup.com
i don't see why this is news. We have people make new dangerous stuff all the time... new microwave weapons to fry crowds, bigger, badder guns to blow up people "better" than we already do, etc. We even have people that work with deadly organisms and it's worked out well... ok...not a good example...
but anyway, we try to beat the system in all fields, none react quite so quickly to being broken as software, so it's slightly more dangerous. But it's not like somebody wouldn't have figured out how to get around systems anyway... it's better that the "good guys" figure out first.
711CE2644B55BB071F36457E9783E0EE3A4D9EA0
#include
int main(void){return printf("hello, world\n");}
This guy is teaching cyber-terrorism !!
The SAS could take out any one of these training camps.
Kill everybody there, and be gone before the echo fades.
as a two-semester course.
It is held at the technical university in vienna and is called "InetSec"
http://www.iseclab.org/InetSec/
The course has a very high quality and includes practical exercises like sql exploits, writing buffer overflows, trojans and the like.
You even get your own automatically generated "1337 handle" upon subscription to the course, and you can advance from "script kiddy" (not homework assignments aka challenges turned in) to "master guru" (turned in everything + extra work + participated in a CTF) - so actually participating in the course is more fun and play than work ;)
I wonder why that article is news, since there is a CTF (http://www.cs.ucsb.edu/~vigna/CTF/) held every year, where a lot of universities and colleges from everywhere participate - i doubt they don't have similar courses.
Then again, since the viennese guys kick ass at these contests... ;)
...a 19 year old Finnish student has embarked on a project to learn more about his computer by writing a kernel.
No really though, I remember reading about this or something similar years ago.
Palm trees and 8
...since if that's how they're spending their time, they won't be penetrating anything (or anybody) else!
*ducks*
Is Capitalism Good for the Poor?
If a person learned Jujitsu, he would effectively be learning ways to kill people among other things. This doesn't equate to actually killing people, or actually beating people up, etc. Maybe you use your martial art to save your girlfriend or do other some good thing someday.
Just because you can possibly use some skill to be evil doesn't mean you shouldn't learn it.
It's like a saying police shouldn't know any martial arts or learn to shoot a gun because they could use the skills to kill someone.
I taught myself x86 assembly and DOS API programming when i was 14, and wrote my own virus just to see if i could. I actually borrowed code from another virus, i think it was called NoFrills, that i had found on my of disks and used parts of it's memory routines. Doing this taught me a great deal about interrupts, routines, and assembly programming. I personally think virus writing should be a pre-requisite in all programming courses, sure viruses can be bad, but the techniques and things you learn (interrupt hooking, allocating memory without using the OS, callbacks, polymorphism, opening and reading files, method vtables(the same thing C++ uses)) can be used in all sorts of other areas. I remember using Thunderbyte Anti-virus to test it, and trying to hide my virus from it's scanners as much as i could :P
I don't need to test my programs.. I have an error correcting modem.
Knowing is half the battle.
CAn'T CompreHend SARcaSm?
I guess the more computer science students know about viruses work they would be better equipped to write software to combat it. On the other hand it's a chicken v egg scenario, they could also develop better viruses too. lol
this is an aweful stupid post.
of course police detectives try to figure out how to re-enact the crime themselves as they are trying to solve it, and very good training (like special ops, drug enforcement) always includes playing the role of the malignant.
of course they are supposed to try their stuff on a "simluated" (as in: non productive, setup only for that task) system.
Since when do only men write code?
This is misguided. Students should be taught how to write viruses that infect other viruses.
I go to sonoma state, Mr. Ledin is an awesome teacher, but it is true that many of the local tech companies have blacklisted the students in the class.
Right, but these people are actually pushing crap onto the internet; not just playing in simulator land.
My guess is that the lab is far from Windowless
-= This is a self-referential sig =-
... on sociological/psychological effects of/to/by computer. I can easily think of at least three major topics:
1) UI design. More general, software and user interaction.
2) Security system. As gp said, human is the weakest link. Try to understand and explain the reasons ( other than stupidity and laziness ), and how to design your system to avoid them.
3) Social network. [ Just a buzz word to attact more students !]
>>In a windowless underground computer lab in California, young men are busy cooking up viruses
If I were teaching this i'd make sure that there were plenty of copies of the different versions of that OS to test on.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
"You can build a better mousetrap" -----Rube Goldberg .....but you'll only be left with mice that are smarter than you.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
I don't believe it is windowless. Having Windows is the best way to perpetuate viruses!
What I readed, it is bretty much what Hackers does, learn the security weakness and then fix them or even understand them so they can block them.
Those are Hackers, but not Crackers who would then use those... but wait... they DID seem to spam internet forums etc...
Both police and fire training involves a fair bit of *knowing how the enemy thinks*. True, no actual mugging/pyromania is involved, but it comes closer than you think. How do you think they set up the training sessions? Somebody has to play the perp, or set the house on fire, and you can be damn sure they are told exactly how to go about it.
"Good news, everyone!"
As a computer security masters candidate, I agree with the idea of teaching the "white hats" how to think like the "black hats" and to have the same sort of skill sets.
How else are we supposed to learn how to protect against crackers if we dont know what they actually do. How are we supposed to do pen testing if we cant crack systems ourselves.
I learnt how to crack in a secure lab with no connection to the rest of the internet once we had setup the computers. We got advised before we even started learning how to pingflood a computer that if we used any of the skills we learnt outside of the room while we were still studying, we would be handed over to the federal police in Australia.
*** I had a
Any competent technologist can write a destructive program but how many can write something that really changes the world?
Much like most of today's software!
They've been doing that in my University's IT Security Labs for the last 4 years.
About 10 computer's on an isolated network and portable memory is banned.
I don't know too much about it but as far as I know it's mostly used for cryptanalysis in a simulated live environment.
I wonder why some of the businesses quoted by TFA are so vehemently emotional about their opposition? "vowed never to hire graduates of his class, yadda, yadda."
I could understand bland statements about not thinking that the class was an especially good idea, or believing that such a class does not provide especially useful skills; but the position given is something else entirely. Now, it could just be some journo-monkey spicing it up a bit, because that is easier than actually knowing something about the subject, or attempting to inform the reader; but it is also possible that they reported accurately. If so, the question stands.
It is particularly odd because one would expect antivirus companies to like anything that contributes to a sense of fear and insecurity. So long as the world is a terrifying place, they just need to seem more secure than their competitors in order to cash in. Why would this class upset them? It makes me wonder if, when talking off the record, they are letting sheer vanity and anger at being made to look foolish get the better of them.
I'm taking this class next semester, it's called Intro to Malicious Code. I didn't think it was that uncommon.
Of course, my college is known as one of the best schools in the nation for Computer Security. My Masters Thesis is actually being presented at the Virus Bulletin Conference this year (If I ever finish the damn thing). I'd tell you what it was, but I'd rather the server not suffer the consequences.
Think of the Ducks!
oh, so you have to make it a white thing? Me and my crackers goin to bust a chip on your BIOSch.
Comment removed based on user account deletion
Defense against the dark arts? Harry Potter? Anyone?
If you don't know what you're doing, you can't make mistakes.
Comment removed based on user account deletion
Where's the part about how FBI students/recruits get to confiscate their equipment for an undetermined amount of time, and interrogate them for illicit trading of digital feline (kitty) pornography "materials"?
Sounds like a script for a good movie, nah?
If I am an anti-virus company looking for developers, why would I possibly turn away programmers who took a course on virus development? It was a sanctioned computer course at a college or university, it would seem to me that these would be *exactly* the people you want. They should have a better understanding of how a virus developer thinks and thus have a head start on combating future viruses. Yes, it may be that some took that course because they were interested in writing malware, but many will have taken it because they want to know how to fight it. I think only a moronic close-minded company would turn these people away just because they took a course.
Its like the Dept of Justice not hiring people who took a course on criminology because they might cause a crime.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
I do think that teaching how to attack helps student learn how to fight the attack more efficiently. Would you take your car to a mechanic that didn't know how to drive?
PYROPHOR
comp sci people should know the basics of virus and malware.
Five years ago, back in 2003, the University of Calgary offered a similar course. I wonder if we'll see the same reactions and tired old positions as last time.
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
Are you serious? Have you read the article? There's a dedicated (and closed) network for virus production. The switch doesn't get to bump uglies with the internet.
In a very elegant manner, precisely why I've switched all of my home boxen to Linux. The end user's experience does not matter to the AV companies; it matters only tangentially to Microsoft. What matters most, is money. That is, their profitability, not mine.
If I paid for antivirus software, I would expect it to protect me from all viruses, not merely the ones trying to rip off major corporations. You need to understand the perspective of the typical Windows user:
A few years ago, I worked as a Linux developer. Since then, I've switched jobs and am now using a Windows box. Two things occur to me:
So, when I have the choice, and my time is important - that is, when it means money - I use Linux. Apparently my time isn't considered important to the AV companies. They think I can just sit on my hands and do nothing while a file is scanned. What happens is that these little annoyances add up, and I end up working overtime because some AV company is all about profit, not productivity.
The society for a thought-free internet welcomes you.
Oh, I'm sure they will get hired, no worries. But no AV company would readily admit they do. Mostly because of the other AV companies. It's a groupthink-thing. You don't hire him because all your peers think he's a loose cannon, but at the same time you want him, hire him and keep him under wraps.
The biggest fear any AV researcher faces is being accused of actively writing and/or spreading malware. You are dead if you do. You are highly dependent on being part of the network to be efficient at finding new threats. No AV researcher can afford a global detection network. Well, maybe MS could and eventually they'll have to... different story. But what it comes down to is that you depend on being on good terms with your peers.
Allegations come quickly when some minor backwater player suddenly starts finding new threats faster than anyone else. It gets worse when they find a way to remove infections that even big guns like Kaspersky have troubles with. Having someone in your team who is known as a malware author spells death for you, then.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's secret ewing! Thats what he was up to. Sorry, SSU in-joke. Go Cossacks!
if you read the first paragraph in the "movie announcer voice"... its far more fun. Sorry, just had to pass it along. (But it does sound like the opening credits to a summber block buster.)
Joe Investor
I went through the training for Volunteer Firefighters. You learn all about setting fires. I know guys who went to various academies. You learn all about forcibly taking things away from people. Firefighters study arson. Cops study crime. You absolutely want them to. There was never a saint who didn't perfectly understand sin.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Ledin was my first prof on my first CS class on my first day of college. He's an awesome guy. We keep in touch, and I just had lunch with him the other day when he was out my way, and he invited me to speak at an SSU CS colloquium in September. Go Prof. Ledin!!!
I think the professor's time would be better spent communicating with the AV companies, rather than helping breed the next generation of script kiddies. Teaching college students to break AV software seems counter-productive to [the industries attempts to make things better. I am not saying the security through obscurity is better, but I think it would be helpful to determine the color of the student's hat before giving away the keys to the kingdom.
If you get to do hands on research, Where do I sign up for the lab on Drug Abuse? I want to learn to think like a Drug User. Do they teach techniques?
Well, there's antivirus companies and there's antivirus companies. Symantec and their ilk will I'm sure bluster on about how they'd NEVER hire these types, then will wonder why they just kind seem to find good employees. Kaspersky, AVG, etc., I'm sure they'd hire them.