Canadian University to Begin Training Hackers 379
torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
Hacking ethics (Score:5, Interesting)
They might be accused... (Score:5, Interesting)
And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.
hey (Score:1, Interesting)
Security experts and black hats (Score:4, Interesting)
Pleased (Score:5, Interesting)
argue that it is the wrong sort of training that could lead to rise of new generation of script kiddies, I would argue the other way round. There would be more people who would know exactly how these things are engineered & have greater understanding to build more secure systems with that understanding.
Fearful view of disseminating such information only feeds censorship. And we all know how well that works.
hype (Score:4, Interesting)
maybe it's just me, but this article has a rather tabloid-esque sensanionalist feel to it. where did they get the figure of $1.6-trillion of damage done by viruses? that's just not believable. then they quote unspecified "experts" and refer to vaguely conspiratorial theories of government-hired hackers in a "secret laboratory".
basically, they are printing a new course announcement and mixed it in with a bunch of hyped up BS in order to make it look like a real article.
hacking for dummies (Score:2, Interesting)
It has been suggested to me that I might as well just teach a basic operating systems class, but it doesn't have to same ring to it
Re:Hacking ethics (Score:1, Interesting)
hackers are by definition self-educated
U of "C" doesn't teach "C" (Score:4, Interesting)
I was suprised at the raw nerve I seemed to have hit with the prof I was speaking to because she became somewhat defensive.
My position is that if we for instance go to sourceforge and check the projects that we will find that C/C++ is perhaps the most popular language for these projects. If I look at my development requirements my conclusion is that C/C++ is THE ONLY viable languge I would even consider using! In my career I have programmed on over 13 platforms and I have used over 13 languages - many of which are now obsolete. I don't think I am biased towards C/C++ or say biased away from say Java. I have my career and at this point in my life I am managing it! I encourge all other programmers to do likewise. What this means is that for me - if a client asks me to program in VB, Java, etc. my answer is that I will NOT take on the job.
Given my strong feelings that C/C++ will be here for the foreseeable future - I find it totally ironic that the U of "C" doesn't even teach "C".
As such - I consider them rather irrelevant.
Furthermore as it turns out I was at the OpenBSD hackathon BBQ last weekend and made the point of asking the hackers how much Java there is in OpenBSD. They laughed. When I asked about C++ they were a little more serious and consided that perhaps there is some somewhere.
So I commented to them that the Uof"C" doesn't teach "C" and was actually quite surpised to hear one chap pipe up that his company doesn't hire UofC IT grads.
I think this is a really sad testiment to the department actually. My opinion is that they have a strong Java / M$ bias and I think this is rather sad. Just MHO...
--------------
BTW - these comments should not be construed to critisize Ruby, Python, Perl, Bash, PHP etc. These langages all have their place and I use some of them. My comments are about the use of C/C++ for general purpose applications development where you might end up with 50,000+ lines of code.
Re:Just tools (Score:4, Interesting)
In fact I took an Information Warfare class and one of the options for a final project was virus writing.
Practical reasons to teach viruses. (Score:5, Interesting)
One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?
There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)
The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.
Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.
Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.
The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.
I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.
That's how I learned (Score:5, Interesting)
Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.
I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide [amazon.com]. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.
Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup
Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?
Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.
Not a Troll or Flamebait. (Score:4, Interesting)
This method would also be cheap in terms of raw materials. If you can threaten an attacking country with the destruction of their economy or failure of basic utillity systems, without having to mobilize a pile of troops, you're money ahead. Sounds like a plan.
Re:Better Virii (Score:2, Interesting)
Re:Crackers (Score:2, Interesting)
>
> Crackers (and cracking), on the other hand, are those who maliciously exploit hardware and software that is not their own, for personal gain, and sometimes just for the sake of having done it.
Sorry to burst your bubble, but educating oneself is personal gain. Thanks to laws like the DMCA, reverse engineering is considered malicious. And pulling apart hardware/software (reverse engineering) seems like exploitation.
Now, I know that you try to further clarify the difference between crackers and hackers by saying crackers damage a system, but most crackers would want to crack a system without doing "damage" in the physical sense. The real question is whether the company sees it as damage--bare with me on this. It's possibly just as damaging to copy all internal documents of a company as it is open up a black box and figure out how to make your own version.
Internal documents could be bad by showing how a company is lying or showing a lack of progress whether or not the company does end up producing a product at expected times (neither situation being one the company would want to distribute). Neither is physical damage, but either could ruin the company.
Reverse engineering could show a company is lying as well or show a lack of progress (the former being stealing code, the latter not advancing as much as reviewers/consumers expect). The development of a competitive product could be developed as well (assuming they don't own patents on the product) based on reverse engineering.
The best way to differentiate hackers/crackers then isn't by the motives or the means, but purely intent.
If the intent is purely for the aquisition of information, hackers would approve of it. In this case, it's not much a surprise hackers are know for gpl code and warez even.
Crackers are more interested in aquisition of goods or money, willing to exploit a system for knowledge for personal gain at the advantage over others. In some ways, crackers are the capitalist hackers. So, at some level, crackers are more likely to trade warez than to give them away and to possibly event control warezing to make sure not everyone warezes (to do so would eliminate the producers completely).
So, in a nut shell, hackers are communist/idealist deomcratic individuals. Crackers are capitalists. I don't think either view is ever fully realized in individuals, however.
Re:Resume (Score:5, Interesting)
I did an internship with one of our government departments, involving 'security research'. Sure, an hour a day was occupied reviewing firewall/IDS logs, but the rest of the time was spent developing and testing exploits. It was a hell of a lot of fun, and I gotta tell you - I have a deeper understanding of the TCP/IP protocol suite than anyone in their right mind could want, I can code shellcode in my sleep, and writing a self-modifying virus that evades most signature-based scanners is something far from impossible now.
I gotta tell you, the right employer drools at this, because it's not something a person picks up in school, and the vast majority of people that know anything about it are really no more than glorified script kiddies. When it comes time to harden a system WELL, or set up an IDS so that it's actually useful, or write a virus scanner that will actually work 2 days after it's released onto the market... it helps to have a clue what you're doing.
Re:Crackers (Score:4, Interesting)
I know it's a semantical argument over words, but for crying out loud, "hacking" wasn't even strictly computer-related in the first place.
So am I a terrorist? (Score:4, Interesting)
I just finished writing my final exam (actually, a report) in the "Network Security" class. It was actually quite fun. The class is divided into several teams of 3 or 4 students and each team sets up an e-commerce site that is visited by an administrative team that logs successful transactions from their own machines.
Each team's job is to keep their site up while simultaneously trying to knock other teams off of the network. Each site uses two machines with two different operating systems: Redhat 8 and Windows XP professional.
Needless to say, we checked the security and hacking sites several times a day to make sure to be aware of new exploits creeping out.
Hack sessions were "anything goes", we basically progressed from larval stage (script kiddie) to juvenile (perl, java and C based exploits.
No one wrote any new exploits this time around, but a whole new batch of wet-behind-the-ears "hackers" are released from this univeristy every semester.
Of course, the purpose of the class is to create an environment where teams can learn about security by practicing the arts of the "Black Hat". It was surely the most fun I have had yet in the university.
Re:They might be accused... (Score:4, Interesting)
But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.
About time (Score:2, Interesting)
Re:Studying viruses is important (Score:3, Interesting)
I completely agree. I think anyone who knew about these capabilities within Outlook, should have been able to predict the problems in advance too. When a friend discovered the same capabilities in Lotus Notes, he certainly did. (this was before the run-on-open outlook stuff).
If more people actually tried to look forward and think what loopholes might be exploited in the future, rather than merely reacting, we might be able to secure more business software pro-actively rather than reactively.
Skilled viruses & Quarantine labs... (Score:3, Interesting)
But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.
Readers who find this idea interesting may want to read This Alien Shore [amazon.com] by C.S. Friedman. While it's nothing relevant to current technology, it describes an interesting scenario of a well-written virus, and describes it from the point of view of both an untrained "cracker" and a schooled, skilled, & specialized "security specialist."
Our school has thought this for a few years in US (Score:1, Interesting)
It is one of the more demanding classes in cs. In past classes students have even been able to have their programs battle it out in a sandbox to see who's virus can spread faster and kill the others.
Oh and the "Little Black Book"? Yes, that is the textbook for the class.
The Canadians are copycats.