Slashdot Mirror
CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"
An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
Interesting timing ; not quite the same.
One is Defensive Planning; One is about New ways to use things.
US Government Announces National Day of Civic Hacking
http://yro.slashdot.org/story/13/01/23/1823208/us-government-announces-national-day-of-civic-hacking
_JS
And also a very good explanation. How on earth did they produce such a hopelessly stupid system? It was designed by people who are unready for engineering systems to be used.
I am a big fan of not blaming the victim, as a matter of moral principle. That's a great policy. But it's really crappy engineering design; building something that is designed to rely on the assumption that society can reliably provide perfect enforcement is stupid.
There's another layer of difficulty, which is that it is not always obvious whether something is a security hole or a permissive feature...
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
When did all the computer science programs turn in to trade schools for programmers?
Meh, why fight it. Lower that bar!
Required reading for internet skeptics
All that happened was some young hotshot did something the dept forbids. He paid for that, end of story. How you go from there to "CS depts out of touch with today's world" is beyond me, but then again I'm not some CTO either.
'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,'
That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds. Anyone remember Steve Jackson Games? They released a game where one of the roles you could play was a computer hacker. The FBI called it a "handbook for computer crime" and the "anarchist's cookbook of cybercrime". No charges were ever filed. It was a work of fiction. It still nearly bankrupt them and took many years to resolve.
Schools do not want to teach students because they're afraid of government reprisal if they show a generation just how crappy our national infrastructure really is. As one recent net celebrity put it, "Our security posture is like a dog waiting for its belly to be rubbed." They don't wanna teach people how to find these problems, because it'll embarass the crap out of The Powers That Be.
Don't blame professors for this. Look higher.
#fuckbeta #iamslashdot #dicemustdie
However, I don't buy that what this student did was hacking (in the cracking sense)
Targeting a system you don't own, or aren't reponsible for and trying to break into it is almost always not a good thing to be doing, and should be considered unprofessional (and unethical) conduct.
Noticing a problem while you are setting something else up, notifying the appropriate people, and checking to see if that problem is gone are very reasonable things to do.
I have been working in Computer Security in Internet Banking for the last 15 years, and while I have had many co-workers who measure their worth by how good they are at breaking in to things, very few of those people have been nearly as good at defending those same things.
Figuring out how to hack a site takes finding one vulnerability.
Figuring out how to defend a site takes thinking about all types of vulnerabilities.
What they are teaching is that it is unethical to run penetration testing against a system without permission. This philosophy is embodied in the ACM Code of Ethics, in section 2.8:
He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.
Maybe there should be a slightly different attitude towards breaking into computer systems, or attempting to break into them. However, it needs to be mentioned that if you are learning to skydive the first lesson isn't "what if you chute doesn't open." Similarly, the first project in a chemistry class isn't making dynamite.
What this case showed was a student with some skills could break into a university system. Great. One problem is that the student had little grounding in what consequences might pile up if this skill was used. Like the chemistry student making dynamite the knowledge might be there but no judgement about what to do with that knowledge.
Unfortunately, I don't think the proper response is for companies to hire people like this. They need a lot more work before they really can be expected to use their skills in a responsible manner - and today's corporate environment is hardly the place where people are going to get that. Would a person with the skill to break into computer systems and zero reasons not to do so willy-nilly (especially at the direction of lower level management with all kinds of reasons of their own) be a quality employee? More importantly, would such skills misused result in a good reference on down the road?
We are setting these people up to be unemployable in the future, right after they are exploited.
Like the saying:
Those who can, do
Those who can't do, teach
Muchas Gracias, Señor Edward Snowden !
If we want CS students what's really involved in creating a secure system, how about a mandatory "intro to hacking" course?
Using systems intended for such purposes and not someone else's production systems, of course.
Many years ago our Uni had such a course, run in two parts. Part 1: Unix system administration 2: How to break into improperly administered Unix systems. Nobody went to jail. Nobody was branded a terrorist. Many (some?) people learned how to be system admins.
At the university I go to, I recall a computer architecture teacher that used handouts/slides from when the Pentium 4 was the highest-end CPU available
Basic computer architecture is basic computer architecture. The specifics may change, the number of bits may change, but the basics are still the same. I learned on 8080s and 6502s and PDP-8s and an odd CDC 6500, and they all shared the same concepts. When I pick up a datasheet for a modern processor, I see a lot of the same old stuff.
Once you have the basics, then you can expand. "How can we improve on X? By doing Y...". You don't know why Y is better unless you know what X is. And more important, it is hard to see the potential parallels for future improvement unless you know the past. "If we did A to improve X into Y, maybe we can do A to help this other thing, too..."
he had a test account and as working on a app I think the school just was very out of touch with the real world IT.
Let's see he finds a bug while coding his app and then he reports it and say it was fixed and then a few days later he tests the bug it's still in place.
Give it a rest dumbfuck.
Wow! What a creative comeback. Really, That was SO impressive!! "Dumbfuck!" Such poetry, and you managed an actual two syllabe word. Most impressive, can I use that? Whatever you're paying your writers, double their salary and give them 2 weeks in Hawaii. That was, dare I say, creative genius! Yes, yes it was.
I may never post again, there's no reason to now, for I have read the ultimate in rebuttals. Someone call the Fox channel!
give them the power to say no the PHB about rushing the code out with bugs.
civil engineers have that power.
You're making a very bad assumption that only poor professionals work in minor colleges.
There are countless reasons for working at one university rather than another, the simplest being that it's a place you like or where you have family. Another might be that it provides good promotion prospects rather than only dead man's shoes. And another big one is that it's not a place infested with prima donnas where the only option is to play second fiddle.
Academia has a lot of problems, and choosing the best place to work is not anything like as simple as you portray. Not everybody is driven by high salaries and high prestige colleges. Indeed, the kinds of places you seem to rate most highly are often a huge rat race and not pleasant at all.
While I don't know Dawson College, just because it's small and not well known does not say anything about the caliber of its academics.
does no one ever read the article anymore?
It was on a test server.....using credentials given by the vendor, Skytech Communications.
The mere fact that Skytech supposedly gave him a job offer is enough to think that the department has their collective heads up....well..you get the point.
There's a reason why the legendary Weld Pond would be so vocal and would even say "These kind of people right out of college are the kinds of people we want to hire."
I think it was some time in the 1980s when there was a very strong push to get academics in applied fields to do some outside consulting or perish. Then there's academics such as the head of R&D at the company I work for - two days a week at university and the other three designing and improving equipment and techniques that are used in a commercial venture.
In the physical world, there is NO SUCH THING as perfect security. You can't design a setup that someone else cannot overcome. All you can do it make it so hard that nobody would try, and multi layered so you hopefully catch something if there is a failure at one level. There's no perfect security, no magic bullet.
Likewise there is nothing that is invincible, nothing that can withstand any and all attacks without problems. Everything has failure points, everything can be broken. You have to use things properly or they WILL fail.
We all accept this as part of every day life. However then when it comes to the virtual world, to computers, geeks seem to think things should be perfect. No system should ever have any security flaw, ever. No system should break or fail, even when subjected to deliberate attack. Everything should be built flawlessly.
Nope, sorry, doesn't work that way. While it is a lot easier to make things more resilient than in the physical world, you still have to assume that failure is possible, that flaws are present and not known. That is just life.
This isn't really about Al-Khabez. It's about policing the boundaries of the profession. The problem - the reason that there is a culture clash - is that despite attempts for over 40 years, no-one has succeeded in transforming computer programming into a profession. To be more precise, whether programmers professionalized remains a serious question for debate.
Look at the quotes from Simonelis, Dawson, and the ACM:
If programming were a profession like medicine or law or engineering, programmers would acquire higher status, as would organizations like the ACM. From the point of view of managers, programmers are often seen as unmanageable crafts people with little respect for standard practices of business. For them, professionalization is about controlling and assessing programmers and theirwork. The rise of computer science, the creation of software engineering, and the creation of the ACM were all driven in large part by efforts to professionalize the field: sometimes more in the interests of programmers, sometimes more in the interests of management
This comes up again and again on Slashdot. Should there be a standard curriculum or test or other criteria that all programmers should meet? Should we have to belong to professional associations? Should programmers be obliged to follow codes or take legal responsibility for flaws in software? How much should formal education and credentials be valued? Should self-taught programmers be excluded?
These are contentious issues. Clearly Dawson College and Mr Simonelis have an interest in defining and policing the boundaries of the profession. This would enhance their status. But as nearly a half century of debate and ongoing discussion here demonstrate, there is no professional consensus for them to uphold. This is real cultural divide. Al-Khabez got caught in the middle, used by Dawson in their efforts to define the profession and their own status. I think that's terribly unfortunate.
For an excellent book on the history of programming and efforts to professionalize it, see The Computer Boys Take Over by Nathan Ensmenger. He argues that programmers are morke like technicians than professionals. Like other technicians, their work is often threatening to the organizations that depend on them. And despite the best attempts of computer science and software engineering, much of it is guided more by craft principles than by rigorous scientific or engineering methods.
Computer Science is taught in this idealized world separate from reality
Getting unexpectedly in trouble for breaking arbitrary or unclear rules? No, it sounds exactly like the real world.
Go ahead and show me the home/business alarm you think will stop me. Go ahead. I can more or less guarantee you can't do it. The reason is I know quite a bit about how they work, since my grandpa has been in the business of selling them all his life, and how they can be defeated. Particularly if you are talking something public where you can look around innocuously and find out what is there. Ultimately they are at their core just a circuit board in a box that connects to sensors, sirens, and maybe a phone line. Break the board, they stop working. If you have one in your house open it up and see what's inside. It is simplistic, and not at all attack resistant other than the thin metal box it lives in.
For that matter, defeating an alarm really isn't necessary if taking something, like say physical data (files and so on) is your objective. All they do is make noise and if they are good ones, call a security company who will eventually call the police who will eventually respond (they aren't that fast, false alarms happen often). That doesn't stop people with guns from kicking in your door, grabbing what they want, and leaving.
Same shit with security guards. You ever have a look at the security that public places like office buildings and malls use? They are unarmed, and low paid. Their job is to call the police if shit happens. It doesn't take much to out-class them, you bring a pistol with you, you've already got them hopelessly outgunned. You think they are going to throw their life on the line if someone holds them at gunpoint? Hell no. For that matter there usually aren't very many. The mall near me has one car that patrols their parking lot at night (I overlook the parking lot). That is it for perimeter security. I don't know what they have inside, but you can bet it isn't much more (maybe not even anyone).
Physical security at homes and businesses keeps out the causal crooks, nothing more. Now that's all they really face, people wouldn't bother with a targeted, planned, attack, they just don't have enough of value. They face low level thugs that do vandalism, smash and grabs, that kind of shit. And oh, by the way, it DOES happen. The mall near me gets broken in to at least once a year, usually dumbass teens just causing trouble, and by the fact that they got in, it means security failed to stop them.
They don't get fired, their job isn't to stop everything, it is to report anything they see, and to drive around and look conspicuous (their car is marked, and has a flashing yellow light) so as to scare troublemakers off.
If your house has never been broken in to it isn't because you have amazing security. A burglar alarm and a crap lock do not make great security. It is because nobody has tried. They good news is most of us don't face much in the way of threats to security in the physical world. Nobody tries to break in, or attack us, or the like. It is quite uncommon.
Now that doesn't mean we should just be all lax with computer security, but it does mean that this silly demand of perfection needs to stop. Nothing is perfectly secure.