Slashdot Mirror

← Back to Stories (view on slashdot.org)

Students Learn To Write Viruses

Posted by samzenpus on from the mischief-101 dept.

snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."

66 of 276 comments (clear)

  1. Penetrate even the best antivirus software? by ohcrapitssteve · · Score: 5, Interesting

    Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.

    Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?

    1. Re:Penetrate even the best antivirus software? by SoapBox17 · · Score: 5, Insightful

      In case that wasn't a rhetorical question, the answer is:
      Because it is a computer class (probably part of a CompSci degree), not sociology/psychology. While targeting the user is a perfectly good way to go about breaking in to something, that topic area isn't very practical for computer science. I think the point of TFA is that the class teaches a lot more than "this is how to kill McAfee, now go run amok!" It is a good opportunity to think outside the box, and targeting the user is very much inside the box, and very low tech.

      I'd be kind of pissed if I took a computer security class and it was all about social engineering.

    2. Re:Penetrate even the best antivirus software? by v(*_*)vvvv · · Score: 2, Insightful

      targeting the user is very much inside the box, and very low tech.

      Well, yes and no. This is a computer class, so sure, let's just study what you can do at the keyboard, but if you are talking security, then the user is the weakest link. The hackers that have done the most damage and made the most money have all used social engineering at one point or another. And why does it work? It works precisely because it is outside the box - the computer box. Programmers and security experts can do all they can inside the box, but their systems are not secure if an idiot holds the key or gives out passwords over the phone.

      So the most secure systems are not user dependent, but to understand how to avoid depending on the user and how to avoid creating secrets to guard, you will need insight into the social engineer-ability of a system.

    3. Re:Penetrate even the best antivirus software? by mixmatch · · Score: 3, Insightful

      I'd be kind of pissed if I took a computer security class and it was all about social engineering.

      Unfortunately for all of us, a technical attack is usually fixable by the next version of security software or the OS, while a psychological attack will continue working effectively as long as computers are operated by people. If the objective is to benefit from an exploit, as opposed to obliterating a system, it is nearly always more profitable to deceive the victim into believing that they are still in control of their system as well. I believe that a good attack would incorporate a high level of technical expertise, coupled with a social engineering deception. There is after all a saying,

      There is no patch for human stupidity.

      I think anyone taking a computer science class that wants to disregard the human element of computing is not likely to be the most successful in the IT field.

    4. Re:Penetrate even the best antivirus software? by Beryllium+Sphere(tm) · · Score: 5, Insightful

      In the old days, the author of a high-speed worm would have wanted to avoid user interaction, because human beings slow things down. Slammer doubled the number of infections every 8.5 seconds when it took off: hard to do that when you have to wait for a user to figure out how to turn off their antivirus software.

      Someone who is targeting corporate systems today, for espionage or to recruit well-connected botnet hosts, is attacking an environment where the users may not be able to turn off their antivirus software.

      A pure social engineering attack, with no code obfuscation, would have to work in two stages. The actual payload would have to be delivered after the antivirus got turned off, not before, so there would have to be a first stage containing the UI to persuade the user to disable anti-virus. Hardly impossible, but a nuisance.

      Those are a few of the reasons, though your point stands unchallenged: humans are the weakest link, and security people who develop tunnel vision about technical protections and countermeasures are crippling themselves.

    5. Re:Penetrate even the best antivirus software? by LinuxDon · · Score: 2, Informative

      Antivirus software in most cases isn't going to do anything if there is no signature in their database matching the program being downloaded/executed.

      If you write a virus yourself, the signature won't be in the scanner and therefore it will not detect it.

      So: If you want to install a keylogger on someone's computer without the scanner detecting is, then write it yourself and you'll be sure it'll slip right past the scanner.
      Therefore: We can conclude that a virus scanner doesn't nearly provide the kind of protection it claims to provide.

  2. Oh Joy more spam by WiiVault · · Score: 4, Funny

    Sweet, another person spamming my boards! And no education isn't an excuse.

    1. Re:Oh Joy more spam by NovaHorizon · · Score: 2, Interesting

      Do the kids have flash drives? because that would be like a bio hazard suit with pockets.

      --
      Defective Logic
    2. Re:Oh Joy more spam by Rockabilly_Redbeard · · Score: 3, Insightful

      I don't believe the stuff they're cooking up could be any worse than the other "5000" viruses that come out each week now. All I know is this class beats the heck out of the cybersecurity class I took in college. It seemed like all we did was read excerpts from Kevin Mitnick.

  3. Re:zomg zomg first prost! by Anonymous Coward · · Score: 5, Funny

    I love the smell of burning karma in the morning.

    Smells like... victory.

  4. Not Hackers? by mordors9 · · Score: 4, Insightful

    Not sure why the author phrased it that way. It should have read they are not criminals. They very well may be hackers. There is a difference.

    1. Re:Not Hackers? by fm6 · · Score: 5, Informative

      In ordinary English, a hacker is somebody who hacks into a computer system. That's not the way you and I use the word, but we're not most people. "Hacker" is one many words that means different things depending on who uses it and in one context. Language is not a map.

      Hackers (in the senses of "improvisational programmer" or "ethical student of security technology") often don't grasp this, and insist that the common usage of "hacker" is "incorrect" — even though the people who use it that way are in the majority. They've tried to get people to say "cracker" instead, ignoring the very small role Nabisco plays in computer security issues.

    2. Re:Not Hackers? by jeiler · · Score: 3, Informative

      Hackers (in the senses of "improvisational programmer" or "ethical student of security technology") often don't grasp this.

      Actually, most (if not all) of them do, and take a perverse, quixotic joy in fighting against the majority usage. It's probably an issue of pride ("I'm a HACKER, not some scummy script-kiddie!"). I view it as about as "useful" as OS-flamewars, or endless arguments over editors.

      And while we're talking about editors, don't get me started about emacs. ;)

      --

      If you haven't been down-modded lately, you aren't trying.

      Sacred cows make the best hamburger.

    3. Re:Not Hackers? by maackey · · Score: 2, Insightful

      Butterflies are the only way to go

    4. Re:Not Hackers? by NaishWS · · Score: 2, Funny

      Trying to get the public, the mainstream, to start using 'cracker' instead of 'hacker' may not end well for some. The next time a group of black guys yell, "Hey what you looking at cracker?", a cs student may think they are actually complimenting his/her computer skills and approach them to thank them for their kind words.

    5. Re:Not Hackers? by bigstrat2003 · · Score: 3, Insightful

      Er... how far up the dependency chain, exactly, do you want to go? Cause if we follow your idea to its conclusion, no one has ever been a hacker, unless they learned the language themselves through trial and error. Someone has to educate you on the material at some point... it's whether or not you have your hand held for you all the time that defines your hacker status, I'd argue.

      --
      "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
    6. Re:Not Hackers? by fm6 · · Score: 2

      Need to work on your sarcasm skills. That one made no sense.

  5. Good by Safiire+Arrowny · · Score: 5, Insightful

    Sounds like these students might actually learn something about computer security from this class.

    1. Re:Good by Jaime2 · · Score: 3, Insightful

      So, police training should involve mugging practice and fire-fighter training should involve learning how to set fires. Now, I'm aware of the fact that in order to practice fighting fires, there has to be an actual fire to fight and someone has to set it. But, somehow I just don't see a five week training session at the fire department on the various ways to set different fires and how not to get caught.

      Learning how to write viruses is largely a waste of time in an information security course. Yesterday's techniques will be antiquated tomorrow, why learn them next week? I know of information security programs in the wild right now that have the students run the old "ping of death" attack that only works on unpatched 1998 vintage systems. I've always felt that in a security course, the students should study past successful attacks and try to learn what techniques could have foiled the attack that wouldn't have required any knowledge unavailable to the attackee before the attack. Concentrating on the specifics of the attack instead of the specifics of the defense is not productive.

    2. Re:Re:Good by scdeimos · · Score: 2, Informative

      So, police training should involve mugging practice and fire-fighter training should involve learning how to set fires.

      Well, yes.

      Police here (Australia) are forced to undergo being shot by stun guns before they're allowed to carry them on duty. And fire fighters often learn how to set fires as well as putting them out, especially when they start moving into forensics to investigate suspicious fires.

    3. Re:Good by Opportunist · · Score: 2, Interesting

      You're right when you say that the ploy used 3 months ago is worthless today. Teaching someone to abuse the LSASS or RPC exploit used by Sasser and Lovsan, respectively, is about as useful as knowing how to code with punchcards. It was highly useful in the ol' days of yore, but when you tell someone in the field with pride that you can do either, they'll at best snicker at you.

      There are, though, techniques that are still useful because they cannot be patched. Mostly because they are working as intended. It is still possible to run malware inside another process, that's a wanted behaviour. It is still possible to create low level malware drivers, for the same reason. So teaching those does make a lot of sense.

      I also can't agree with the firefighter analogy. It's more like teaching a designer for locks how lockpicking works. To design the better lock, you have to know how a burglar tries to defeat them. You have to know what ways exist to get malware into the system to know which points you have to harden to raise that bar for the invaders.

      I wouldn't concentrate on any specifics, though. That would be more like handing out fishes instead of teaching to fish. Specific information is outdated the moment you learn it, because it was current when your teacher learned about it, and 3 months is a long, long time in that field. What was state of the art a year ago isn't too interesting anymore today. To make the teaching efficient, you have to steer clear of anything too specific for a given attack. The theory, the basic idea behind an attack, is more important than any practical application. Teach where systems are vulnerable, and what vulnerabilities cannot be closed easily because the system depends on them. Then start thinking of ways how to seal them as good as possible.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Sounds pretty cool by Anonymous Coward · · Score: 2, Insightful

    I wish my computer security class in college had been like this. Most of the stuff we did had no creativity involved, nor complexity. We did some password cracking (using john the ripper), sniffing on a network, and a SQL injection. Kind of lame compared to the stuff in TFA.

    1. Re:Sounds pretty cool by Pictish+Prince · · Score: 5, Funny

      Well, they said it was a windowless class, so I guess it's higher than entry level.

      --
      Only his tendency toward a dazed stupor prevented him from screaming aloud.
  7. No great accomplishment by John+Hasler · · Score: 4, Funny

    > Their professor, George Ledin, has showed them how to penetrate even the best antivirus
    > software.

    That and $.10 will get you a year's supply of fake Viagra.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  8. So what? by x_MeRLiN_x · · Score: 5, Insightful

    I was under the impression that all security courses worth their salt taught skills that could potentially be used maliciously. How does one learn how to be a penetration tester? What makes this case different?

    Polymorphism is at least an option in most Computer Science courses. Does one really need to sit down and be taught "how to write viruses" specifically? Or can a huge amount of people who write code use their initiative and learn how to write any kind of application?

    Managers at some computer-security companies have even vowed not to hire Ledin's students.

    What companies? Would they want to work there anyway?

    1. Re:So what? by PC+and+Sony+Fanboy · · Score: 2, Interesting

      What companies? Would they want to work there anyway?

      Spot on! I mean, why work for a security company, when you can work for a government? Isn't that what this guy is going to do in new zealand?

      and ... failing a government contract, why not just 'make' your own money using your newly found l33t haxx0r skillz from school?

    2. Re:So what? by x_MeRLiN_x · · Score: 3, Insightful

      So..? The ability to "hack software" is the ability to find exploits. An exploit that only you know is far more dangerous than one that circulates widely enough to reach the attention of a college lecturer.

      There are public lists of unpacthced exploits. It's easy to become part of an underground community that pools their exploits.

      My point being, this knowledge is incredibly easy to obtain by anyone. I'm inclined to believe that college students receiving tuition from an ethical hacker who presumably intend to gain legal employment are less of a risk to society than people who decide to Google for the latest exploits so they can exact revenge on an employer (for example) or those with truly nefarious intentions and are talented enough not to need outside tuition.

    3. Re:So what? by quadelirus · · Score: 2, Insightful

      I don't think one needs to be taught how to write viruses.

      Case in point for the sake of argument:

      A buffer overrun is a common vector for malicious code. Knowing what types of code causes a buffer overrun is required to protect against them. Practicing writing assembly code to insert into the buffer to actually exploit something is not. Teaching exploitation is not necessarily the same as teaching protection.

    4. Re:So what? by Opportunist · · Score: 5, Insightful

      Uh... ethics?

      I know a few people, amongst them me, who could come up with malware that no AV kit can easily defeat, mostly because we know how AV kits work. We write them.

      But there is a reason why you don't hear about AV writers making malware (despite the rumors. Let me put something straight: WE DO NOT NEED TO WRITE IT! Why bother doing something for your job security if it's done for you?). The AV biz is a very geeky one. I don't know a single person who's in it because of the money (well, we of course don't hate the money, but you could make a shitload more by switching sides...). We're here because we like what we do. We like the 'net. And despite not really liking the idiots who click on every crap they get sent, we want to protect. No, not them. The net FROM them.

      More and more malware is actually an attack on the 'net in general rather than a specific person. And as stated above, we like our net clean. If you, as a researcher, become known as someone who actually writes the crap, you're done for. Nobody will talk with you anymore. Worse, the whole industry will want your head. You piss in our pool, you better get out before we give you the wedgy of doom.

      This is mostly why nobody with the skills writes malware. That it's illegal to distribute a malicious program in most countries is just a minor annoyance compared with that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Old News by dcollins · · Score: 4, Interesting

    Virus writing was part of my assembly & architecture class circa 1990.

    --
    We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
    1. Re:Old News by devonbowen · · Score: 5, Interesting

      Back when the Morris worm hit in '88, I was teaching assembly language. We'd spent the whole day on the worm (making sure it hadn't planted or destroyed any files on our machines) and I didn't have a lecture prepared by class time. So I told them I'd explain the worm instead but that they could leave if they wanted since it wouldn't be on the exam. Our topic the week before was how the stack was changed during function calls so they already had the background. No one left and I got the pleasure of watching faces light up around the room as it dawned on people where my explanation was going. Ah, those were the days...

      Devon

  10. "We've Changed this Game" by KnowledgeEngine · · Score: 4, Insightful

    In response to AV vendors reply "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place,"
    Normally if something is going to succeed, it evolves to overcome natural or manmade barriers to its existence.
    In a way, the fact that the malware and viruses evolve within days of AV updates says that the AV companies are nothing but an annoyance to the writers of the malware.

    1. Re:"We've Changed this Game" by Anonymous Coward · · Score: 5, Interesting

      I used to write viruses. Evading anti-virus software was sort of like the testing//tweaking phase of software development -- "oops, mcafee flagged it as suspicious, let me modify this line of code here, this one here... ahah, fixed".

      The truth is, anti-virus technology hasn't significantly changed since the DOS days. It's all about heuristics, pattern-matching, and behavior-preventing. It's trivial to evade these technologies.

    2. Re:"We've Changed this Game" by Opportunist · · Score: 5, Insightful

      You become better, we become better. It's a race, nothing more, nothing less. And I think both sides know that neither side will eventually win.

      The question today isn't whether AV kits can catch every virus out there. The question today is, can we make development of malware so expensive that it doesn't pay anymore? Malware development isn't the pastime of some pimple-faced teen with too much time and no girlfriend on his hands. Malware is, simply and plainly, a business. And like every business, it aims at profit.

      The goal of AV kits today is just to minimize that profit the malware distributors can gain. We know that we can't find every virus some teen hacks out to prove that we can't find his trojan. Ok, we can't. Mission accomplished. But your trojan doesn't bother us or anyone, unless it becomes the next Sasser. You are no threat. What does your trojan do? Hijack your friend's WoW password? Get offa my lawn and come back when you've become more than an annoyance.

      Today, malware has to be "important" to be hunted by AV companies. I.e. it has to cost more than a handful of people money. It has to spread wide, has to hijack EBay and PayPal accounts (and bank accounts if possible), be a spambot or something else that actually has some impact. And those packages are invariably developed and employed by organisations who aim at making money.

      So the goal today has changed, from protecting you to stifling their income (which also serves to protect you, in a way). Yes, we're trying to keep back the ocean that comes with a tsunami with a broom. Our back is against the wall. The best we can do today is to limit their income in an attempt to show them it's more profitable to go back to good ol' burglary.

      When you, as a private person, write some malware and release it into the world, you'll eventually be detected, too. But you're not important. The damage you do, the footprint you leave on the international detection grid, is so insignificant that, sorry if I'm so blunt, you don't count.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:"We've Changed this Game" by Opportunist · · Score: 2, Informative

      Depends on your definition of dangerous. Sasser and Mydoom were certainly dangerous, and were both (one certainly, one likely) developed by a single person without any direct financial interest. Their danger simply lied in the ability to spread insanely quickly even when people didn't actively support the propagation of the malware, due to the ability to spread the worm through bugs in remote procedure call routines.

      For some financial damage, you don't need good writers. Actually, a lot of the current malware is by no means any more sophisticated than the average business application, with a few routines thrown in for hiding and propagation, which have been written once and are now being jumbled by some other third party stealther program to avoid too easy detection. Malware isn't an artform anymore. Analysis of current trojans is tedium. Not a challenge. Very rarely you get some really cool polymorph on the desk, but they're few and far between, usually the rate is about one or two a year. The average trojan today is a variant of something, you can even trace families through the dead code that's still cluttering today's malware, old code that was used a year ago but has no meaning due to changes made to make detection harder, or because the malware got some new task altogether. Recently I analyzed a spambot that was developed out of a bank phishing tool.

      Detach yourself from the idea that malware is something some geek with good ASM knowledge makes. You have groups of coders with varying skill, working together. You have a few good coders that create the stealthing and infection code, and others with less skill who take this and build the "working" part on top of that. Often you can even see that they simply copied some sample code and adjusted it for their uses.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:zomg zomg first prost! by lgramling · · Score: 2, Informative

    Why don't we try to get the LAST post in the thread. That way we don't have to look at your comment, and you still have the satisfaction of "winning".

  12. Social Engineering VS Computer Sci by PC+and+Sony+Fanboy · · Score: 4, Insightful
    I agree with soapbox, with

    I'd be kind of pissed if I took a computer security class and it was all about social engineering.

    but if it was a course on penetration and end user abuse, then it would be completely relevant.

    I think teaching the tools of the black arts are useful - you never know when you need to hack into a satellite system and broadcast the evil that it does around the world.

    1. Re:Social Engineering VS Computer Sci by MindlessAutomata · · Score: 5, Funny

      I'd like to take a course on penetration. I might actually learn something.

    2. Re:Social Engineering VS Computer Sci by TubeSteak · · Score: 5, Funny

      I'd like to take a course on penetration. I might actually learn something.

      Unlike college courses, those 'teachers' charge by the hour.

      Though if you are in college, you could take it as an... extracurricular.

      --
      [Fuck Beta]
      o0t!
    3. Re:Social Engineering VS Computer Sci by maxume · · Score: 2, Funny

      Or just do some petty crime so you get to spend some quality time in county -- the course is free, and apparently not an elective.

      Zing!

      --
      Nerd rage is the funniest rage.
    4. Re:Social Engineering VS Computer Sci by TheLink · · Score: 2, Funny

      "Unlike college courses, those 'teachers' charge by the hour"

      Do they provide "hands on" training as well?

      I find I often can learn a lot more from "hands on" training.

      --
    5. Re:Social Engineering VS Computer Sci by Kingrames · · Score: 2, Interesting

      Also, keep in mind it looks better on your resume than a fine arts degree.

      --
      If you can read this, I forgot to post anonymously.
    6. Re:Social Engineering VS Computer Sci by palegray.net · · Score: 2, Funny

      Yes, but all tests are orally administered.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  13. Re:How long before Ledin is visited by DHS? by shadwstalkr · · Score: 2, Insightful

    $20 says the instructor Mr. Ledin is either carted away to Guantanamo Bay, contract killed by McAfee or Symantec or hired by some euro country with too many consonants in their name...

    Seriously? Virus writing is extremely well documented all over the internet, and has been for a long time. Anybody with some initiative can learn this stuff, and really it's probably the best way to learn assembly, executable formats, and a whole slew of cool little tricks you can do with a computer. Virii do a lot more than delete files. There is a lot to learn by building rockets, and we shouldn't stop just because some people like to put explosives on theirs.

    That said, I wouldn't be surprised if Mr. Ledin is reprimanded by the university administration for getting bad press.

  14. Re:How long before Ledin is visited by DHS? by failedlogic · · Score: 3, Insightful

    Maybe he is working for the DHS, you insensitive clod!

    Interesting point nonetheless. There is a difference between classroom and reality. In a psychology, medicine, chemistry, biology, criminology ... whatever class at any level you are taught some pretty dangerous stuff. 99.99999% of students are sane, normal human beings that wont use the info. Its that small %age of students who will do something that are the concern. I don't think taking the class in-and-of itself is the catalyst to being a cyberterrorist. I would at least question the intentions of students that *already* know a few too many things in the class or get an A+ effortlessly for the course.

  15. Re:speaking of penetration... by Anonymous Coward · · Score: 2, Funny

    Use your imagination.

  16. Re:Hostile Authorities by Darkness404 · · Score: 5, Interesting

    Yes, but why are they even caring? I mean, today I picked up a copy of 2600 from a local bookstore, in there I learned how to Arp poisoning, obtain malware via a honeypot, and all kinds of info that is similar to this. Yet I don't see the FBI raiding 2600's publisher burning all copies of the magazine.

    You can get cracking techniques from loads of places, this guy's teachings is old news.

    --
    Taxation is legalized theft, no more, no less.
  17. They need BOTH! by khasim · · Score: 4, Insightful

    If you are learning SECURITY then the first lesson is that the PEOPLE are the weakest link.

    You need to design systems that minimize the human error portion. That means designing systems where it is possible to tell the "good" code from the "bad" code. Where the average user can run an app to identify the "good" code from the "bad" code.

    Where the warnings are sufficiently rare that the average user is NOT trained to just click "accept" when one pops up.

    1. Re:They need BOTH! by TheLink · · Score: 2, Interesting

      I've proposed this:

      https://bugs.launchpad.net/ubuntu/+bug/156693

      3rd party code should say what it is and what sandbox template it requires to run.

      If the requested sandbox is in line with what the code claims to be, and "what it is" is what the user wants, then the user can decide to allow it.

      The O/S then sandboxes the code according to those privileges.

      Expecting users or software to identify good code from bad code is similar to expecting them to solve the "Halting Problem".

      With my suggestion, it is a lot easier to train users to understand that a "Paris Hilton Video" which requires "Full System Privileges" is likely to be malware.

      Whereas a "Cute Game" that requires "Guest Game Privileges" should be OK and since the O/S sandboxes it, there's little the "Cute Game" can do - it should not even be able to access the user's Documents (which unfortunately is possible in most Desktop O/Ses today - almost anything the user launches can access the user's documents, microphone, webcam etc).

      --
    2. Re:They need BOTH! by Hank+the+Lion · · Score: 2, Informative

      This is an interesting idea, and is what Nokia does on ther Symbian platform in the newest releases.
      The problem with Nokia is that they don't trust their customers to make the decision, so every app needs to be signed by Nokia before it will run.
      This has the advantage that it will be difficult to create and spread malware, but the drawback that it is much more difficult to create your own applications.

  18. Re:Weak sauce. by bluefoxlucid · · Score: 5, Insightful

    Because breaking into things and creating stealthy shit is the greatest problem solving skill you will ever find.

    By nature, to break into a computer, you have to force it to do something it (software, sometimes hardware i.e. Intel errata) was specifically not designed to do. Usually this amounts to something not obvious to 100% of the rest of the world for some strange reason being obvious to you. The more experience you have warping completely tame and working interfaces in perverse ways due to minor quirks, the easier this becomes.

    Load modules and shared objects aren't designed to be altered like that; and in this case you have a system designed specifically to catch and prevent you from doing what you're doing. This is, again, forcing something into a position it's not designed to operate in to achieve a predictable result.

    Carmack's Reverse, Duff's Device, and even Edison's light bulb worked from these same principles; remember, by its very nature you cannot have light without fire.

    --
    Support my political activism on Patreon.
  19. Viruses in a WINDOWsless environment ? by destinationPattern44 · · Score: 5, Funny

    "In a windowless underground computer lab in California, young men are busy cooking up viruses" it's IMPOSSIBLE! Viruses need Windows and they won't run in a Windowsless environment.

  20. Is there, or should there be a line to education? by grilled-cheese · · Score: 2, Interesting

    I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users.

    So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?

  21. Re:Is there, or should there be a line to educatio by Mr+Pleco · · Score: 3, Insightful

    I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users. So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?

    Think of it as a locksmith learning how to open locked cars or houses, not so much policemen causing crimes to learn to solve them, as by definition as long as you aren't breaking the law, you're not a criminal.

  22. Cyber-Terrorism by prakslash · · Score: 2, Funny

    This guy is teaching cyber-terrorism !!

    The SAS could take out any one of these training camps.
    Kill everybody there, and be gone before the echo fades.

  23. Re:speaking of penetration... by azuredrake · · Score: 5, Funny

    Thomas Fynan floods a bulletin board with huge messages from fake users.

    Ah-hah! Got ya!

    --
    Quis custodiet ipsos custodes?
  24. we have that in vienna for years... by Meshugga · · Score: 5, Informative

    as a two-semester course.

    It is held at the technical university in vienna and is called "InetSec"

    http://www.iseclab.org/InetSec/

    The course has a very high quality and includes practical exercises like sql exploits, writing buffer overflows, trojans and the like.

    You even get your own automatically generated "1337 handle" upon subscription to the course, and you can advance from "script kiddy" (not homework assignments aka challenges turned in) to "master guru" (turned in everything + extra work + participated in a CTF) - so actually participating in the course is more fun and play than work ;)

    I wonder why that article is news, since there is a CTF (http://www.cs.ucsb.edu/~vigna/CTF/) held every year, where a lot of universities and colleges from everywhere participate - i doubt they don't have similar courses.

    Then again, since the viennese guys kick ass at these contests... ;)

  25. What about martial arts.. by Safiire+Arrowny · · Score: 4, Interesting

    If a person learned Jujitsu, he would effectively be learning ways to kill people among other things. This doesn't equate to actually killing people, or actually beating people up, etc. Maybe you use your martial art to save your girlfriend or do other some good thing someday.

    Just because you can possibly use some skill to be evil doesn't mean you shouldn't learn it.

    It's like a saying police shouldn't know any martial arts or learn to shoot a gun because they could use the skills to kill someone.

    1. Re:What about martial arts.. by Jaime2 · · Score: 3, Insightful

      You're defending the wrong point. I never said that students shouldn't learn to write viruses because it's evil or dangerous. I said students shouldn't learn to write viruses because it is a poor way to learn information security. I really don't care if they are now "a threat" because of taking this class. The last person I'd be scared of is a student who decided to take a class on virus writing. The success stories in that industry are all self-starters. However, the 14 class hours and countless hours spent on homework and projects have been 100% wasted. The students now have an appreciation for how easy it is to be the attacker... big deal. If they didn't already read that and believe it, they are going to fail at information security. If every little point has to be driven home with 50 hours of practice, then they have heads made out of rocks.

      What is the expected takeaway from this class? Are the students supposed to hand threat model all systems and test their defenses with home-made viruses? Any half-baked defense scheme will stand up to an attack crafted by the defender. Just look at Kryptonite bicycle locks -- years of research and development defeated by a BIC pen. The lesson is that nothing is even reasonably secure until it has been exposed to many thousands of attack attempts by many thousands of deviant minds. This class will only serve to delude some of the students into thinking they are penetration testing when they are actually just randomly poking at their defenses.

    2. Re:What about martial arts.. by jhfry · · Score: 2, Interesting

      students shouldn't learn to write viruses because it is a poor way to learn information security

      I don't agree. It would be a poor way if it was the only way you learned, however it's acutally an excellent lesson for students who would otherwise fail to recognize just how easy it is to do and just how unprotected they are by software AV solutions.

      Sometimes the best way to teach something is to immerse the student in it... and even better is to show them the other side of things.

      Your statement is like saying that taking classes in breaking software (unpredictable behaviour) is a poor way to learn to test software. The more intimately you understand the threats, the better you can protect against them.

      Besides... a class like this will breed a bunch of new Linux users cuz they will realize how easy it is for their windows machines to be pwned.

      --
      Sometimes the best solution is to stop wasting time looking for an easy solution.
  26. Should be mandatory by Spikeles · · Score: 2, Interesting

    I taught myself x86 assembly and DOS API programming when i was 14, and wrote my own virus just to see if i could. I actually borrowed code from another virus, i think it was called NoFrills, that i had found on my of disks and used parts of it's memory routines. Doing this taught me a great deal about interrupts, routines, and assembly programming. I personally think virus writing should be a pre-requisite in all programming courses, sure viruses can be bad, but the techniques and things you learn (interrupt hooking, allocating memory without using the OS, callbacks, polymorphism, opening and reading files, method vtables(the same thing C++ uses)) can be used in all sorts of other areas. I remember using Thunderbyte Anti-virus to test it, and trying to hide my virus from it's scanners as much as i could :P

    --
    I don't need to test my programs.. I have an error correcting modem.
  27. Make it interesting by Mindbridge · · Score: 2, Insightful

    This is misguided. Students should be taught how to write viruses that infect other viruses.

  28. Re:speaking of penetration... by KGIII · · Score: 2, Informative

    No, no, no... Not more. This is /. after all. I actually read all of it and I did enjoy reading it with all of its insanities but I really don't think that qualifies as a quality post.

    --
    "So long and thanks for all the fish."
  29. Windowless? by waylandbill · · Score: 2, Funny

    I don't believe it is windowless. Having Windows is the best way to perpetuate viruses!

  30. Re:And that seems extremely stupid by Phrogman · · Score: 4, Insightful

    If I am an anti-virus company looking for developers, why would I possibly turn away programmers who took a course on virus development? It was a sanctioned computer course at a college or university, it would seem to me that these would be *exactly* the people you want. They should have a better understanding of how a virus developer thinks and thus have a head start on combating future viruses. Yes, it may be that some took that course because they were interested in writing malware, but many will have taken it because they want to know how to fight it. I think only a moronic close-minded company would turn these people away just because they took a course.

    Its like the Dept of Justice not hiring people who took a course on criminology because they might cause a crime.

    --
    "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
  31. Your post sums up... by gillbates · · Score: 2, Insightful

    In a very elegant manner, precisely why I've switched all of my home boxen to Linux. The end user's experience does not matter to the AV companies; it matters only tangentially to Microsoft. What matters most, is money. That is, their profitability, not mine.

    If I paid for antivirus software, I would expect it to protect me from all viruses, not merely the ones trying to rip off major corporations. You need to understand the perspective of the typical Windows user:

    • In the first place, the box is already slow because its running Windows. The typical user is either lacks the sufficient skill/time/money to switch their OS, or their corporate policy prevents them from doing so.
    • Now, we have to run AV software, which slows the machine down even more.
    • And worse, it doesn't completely protect us, it just stops the major attacks. My company's tech support still have to do virus cleanup from time to time, though the incidents are fewer and farther between.
    • And worst of all, the users machine is slowed down to the point where it actually affects their ability to get work done, and it is your fault. I'm running a 3.4 GHz, 1 GB RAM XP machine, and I can still watch it draw the windows and menus. My 1997 Pentium 120MHz system with 16 MB of RAM running Windows 95 could draw the windows faster than I could see them, but for some reason, in this brave new world of XP and AV, I'm getting a user experience that is strangely reminiscent of the 80's.

    A few years ago, I worked as a Linux developer. Since then, I've switched jobs and am now using a Windows box. Two things occur to me:

    1. When I used Linux, I never noticed how "fast" the system was because generally speaking, it just worked. Now, I can time things like restoring a program from the taskbar with a stopwatch. Using the minute hand. I've got apps that take 90 seconds to start working again. Firefox can load ./ in the time it takes Windows to draw a single menu.
    2. I shipped around a hundred times more lines of code when I was using Linux. Yes, you read that right: I'm about a hundred times more productive on Linux compared to Windows. (Yes, the issue of productivity is complicated, but as much as my professional pride would like to think otherwise, I've had to come to terms with the fact that the sluggishness of my workstation does affect my productivity. Sometimes, a poor workman's tools really are to blame...)

    So, when I have the choice, and my time is important - that is, when it means money - I use Linux. Apparently my time isn't considered important to the AV companies. They think I can just sit on my hands and do nothing while a file is scanned. What happens is that these little annoyances add up, and I end up working overtime because some AV company is all about profit, not productivity.

    --
    The society for a thought-free internet welcomes you.