Canadian University to Begin Training Hackers

torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"

Hacking ethics

[ciroknight]

I just read a good article on this too. Apparently, if we train hackers at a young age, we can control them, and get much more work done. Read the article at http://www.cs.berkley.edu/~bh/hackers.html

They might be accused...

[MattCohn.com]

I'm sure they will be ACCUSED of it, but I think everyone here sees the real reason. How can you know how to secure your systems if you don't know what the virus writers are doing?

And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.

hey

[Anonymous Coward]

it's just like the school of the Americas where we train most of the anti-terrorist forces, but it's also the place where most terrorists come out of. If they don't have a problem with that school, the same rationale should be applied to this school.

Security experts and black hats

[Jacer]

You gain a certain understanding for certain things when you're "at the wrong end of a telnet session" A lot of that knoweldge can be used for protecting against the same exploits. If they're writing viruses, maybe instead of having a definition file for each virus that has to constantly be updated, they could author some detection scheme that monitors for activity that is like a virus, or certain function within the code that can be stopped much simpler than the current methods

Pleased

[ramzak2k]

I am pleased at such a course and fail to understand why I it has not been taught in other universities so far. While someone could
argue that it is the wrong sort of training that could lead to rise of new generation of script kiddies, I would argue the other way round. There would be more people who would know exactly how these things are engineered & have greater understanding to build more secure systems with that understanding.

Fearful view of disseminating such information only feeds censorship. And we all know how well that works.

hype

[DarkSkiesAhead]

maybe it's just me, but this article has a rather tabloid-esque sensanionalist feel to it. where did they get the figure of $1.6-trillion of damage done by viruses? that's just not believable. then they quote unspecified "experts" and refer to vaguely conspiratorial theories of government-hired hackers in a "secret laboratory".

basically, they are printing a new course announcement and mixed it in with a bunch of hyped up BS in order to make it look like a real article.

hacking for dummies

[MrDelSarto]

you know, I've been working through the idea of a "hacking 101" course for pre-university students. Think about the concepts to you need to understand how to write a "simple" stack overflow ; all about how programs execute, how system calls work, machine language, probably network programming. Let alone the actual C and ASM hackery skills. More advanced hacks like infecting dynamic libraries etc require even more knowledge. By the end of it, you'd come out at least knowing if you liked computer science. I wish someone had done this for me when I was 16 or 17. Take the class over a few weeks, introducing one concept a week and then have a go at writing that part of your exploit.

It has been suggested to me that I might as well just teach a basic operating systems class, but it doesn't have to same ring to it ...

Re:Hacking ethics

[Anonymous Coward]

training hackers is an oxymoron

hackers are by definition self-educated

U of "C" doesn't teach "C"

[cdn-programmer]

I live within walking distance of this university and I am a professional developer and have been for a number of years. Last fall I contacted their IT people and asked if they have any courses on C++ cross platform development. (Rightly or wrongly I elected to use wxWindows and C/C++ from now on - but I still ahve a lot of legacy code of course).

I was suprised at the raw nerve I seemed to have hit with the prof I was speaking to because she became somewhat defensive.

My position is that if we for instance go to sourceforge and check the projects that we will find that C/C++ is perhaps the most popular language for these projects. If I look at my development requirements my conclusion is that C/C++ is THE ONLY viable languge I would even consider using! In my career I have programmed on over 13 platforms and I have used over 13 languages - many of which are now obsolete. I don't think I am biased towards C/C++ or say biased away from say Java. I have my career and at this point in my life I am managing it! I encourge all other programmers to do likewise. What this means is that for me - if a client asks me to program in VB, Java, etc. my answer is that I will NOT take on the job.

Given my strong feelings that C/C++ will be here for the foreseeable future - I find it totally ironic that the U of "C" doesn't even teach "C".

As such - I consider them rather irrelevant.

Furthermore as it turns out I was at the OpenBSD hackathon BBQ last weekend and made the point of asking the hackers how much Java there is in OpenBSD. They laughed. When I asked about C++ they were a little more serious and consided that perhaps there is some somewhere.

So I commented to them that the Uof"C" doesn't teach "C" and was actually quite surpised to hear one chap pipe up that his company doesn't hire UofC IT grads.

I think this is a really sad testiment to the department actually. My opinion is that they have a strong Java / M$ bias and I think this is rather sad. Just MHO...

--------------

BTW - these comments should not be construed to critisize Ruby, Python, Perl, Bash, PHP etc. These langages all have their place and I use some of them. My comments are about the use of C/C++ for general purpose applications development where you might end up with 50,000+ lines of code.

Re:Just tools

[TeknoDragon]

yes... there are probably many schools in the US doing this...

In fact I took an Information Warfare class and one of the options for a final project was virus writing.

Practical reasons to teach viruses.

[rice_burners_suck]

I think this is a good move, but not for reasons that someone (who would mod this Funny) might think.

One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?

There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)

The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.

Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.

Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.

The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.

I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.

That's how I learned

[PetoskeyGuy]

Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.

I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide [amazon.com]. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.

Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup

Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?

Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.

Not a Troll or Flamebait.

[teamhasnoi]

As I understand it, Canada is militarily weak. Why shouldn't they have a school for 'cyber-warfare'? It is one way that they could easily compete offensively - write a virus that takes guidance systems, communication, and perhaps some actual weapons (see American ship and Win NT) offline.

This method would also be cheap in terms of raw materials. If you can threaten an attacking country with the destruction of their economy or failure of basic utillity systems, without having to mobilize a pile of troops, you're money ahead. Sounds like a plan.

Re:Better Virii

[TallEmu]

I'd toyed about the concept of building a virus with a beneficial payload, but gave it up as it's is ethically cloudy to say the least. For instance, new vulnerabilty reported? Write a virus that exploits (and patches) it. It could conceptually at least spread at the same speed as the original virus. While that may not always be practical (it would depend obviously on the vulnerability and how complex the patch was) there is the ethical consideration that I have absolutely no rights (read that Eula!) to "attack" your system and "fix" it. Plus, my idea of a "fix" (this product doesn't do DRM correctly) may not equate to yours ("this program does do DRM correctly"). Another alternative would be to replicate the virus logic, with a benign payload "Hey! Sysadmin! Did you know you are vulnerable to - you should go get patch from ..."

Re:Crackers

[Anonymous Coward]

> Someone correct me if I'm wrong, but I believe that "hacking" is the (lost?) art of taking apart, fiddling, and generally reverse engineering. The purpose of "hacking" was (is?) to educate oneself on the inner workings of a device.
> ...
> Crackers (and cracking), on the other hand, are those who maliciously exploit hardware and software that is not their own, for personal gain, and sometimes just for the sake of having done it.

Sorry to burst your bubble, but educating oneself is personal gain. Thanks to laws like the DMCA, reverse engineering is considered malicious. And pulling apart hardware/software (reverse engineering) seems like exploitation.

Now, I know that you try to further clarify the difference between crackers and hackers by saying crackers damage a system, but most crackers would want to crack a system without doing "damage" in the physical sense. The real question is whether the company sees it as damage--bare with me on this. It's possibly just as damaging to copy all internal documents of a company as it is open up a black box and figure out how to make your own version.

Internal documents could be bad by showing how a company is lying or showing a lack of progress whether or not the company does end up producing a product at expected times (neither situation being one the company would want to distribute). Neither is physical damage, but either could ruin the company.

Reverse engineering could show a company is lying as well or show a lack of progress (the former being stealing code, the latter not advancing as much as reviewers/consumers expect). The development of a competitive product could be developed as well (assuming they don't own patents on the product) based on reverse engineering.

The best way to differentiate hackers/crackers then isn't by the motives or the means, but purely intent.

If the intent is purely for the aquisition of information, hackers would approve of it. In this case, it's not much a surprise hackers are know for gpl code and warez even.

Crackers are more interested in aquisition of goods or money, willing to exploit a system for knowledge for personal gain at the advantage over others. In some ways, crackers are the capitalist hackers. So, at some level, crackers are more likely to trade warez than to give them away and to possibly event control warezing to make sure not everyone warezes (to do so would eliminate the producers completely).

So, in a nut shell, hackers are communist/idealist deomcratic individuals. Crackers are capitalists. I don't think either view is ever fully realized in individuals, however.

Re:Resume

[freeweed]

I know this is intended to be funny, but I think people would be surprised at just how good this can look on a resume.

I did an internship with one of our government departments, involving 'security research'. Sure, an hour a day was occupied reviewing firewall/IDS logs, but the rest of the time was spent developing and testing exploits. It was a hell of a lot of fun, and I gotta tell you - I have a deeper understanding of the TCP/IP protocol suite than anyone in their right mind could want, I can code shellcode in my sleep, and writing a self-modifying virus that evades most signature-based scanners is something far from impossible now.

I gotta tell you, the right employer drools at this, because it's not something a person picks up in school, and the vast majority of people that know anything about it are really no more than glorified script kiddies. When it comes time to harden a system WELL, or set up an IDS so that it's actually useful, or write a virus scanner that will actually work 2 days after it's released onto the market... it helps to have a clue what you're doing.

Re:Crackers

[ebbomega]

Yes, but on that note, Canadian universities have been teaching hacking for ages. In fact, it's the cornerstone of a Computing Science degree.

I know it's a semantical argument over words, but for crying out loud, "hacking" wasn't even strictly computer-related in the first place.

So am I a terrorist?

[rworne]

My university here in California teaches a course similar to this at the 4th year undergrad or graduate level.

I just finished writing my final exam (actually, a report) in the "Network Security" class. It was actually quite fun. The class is divided into several teams of 3 or 4 students and each team sets up an e-commerce site that is visited by an administrative team that logs successful transactions from their own machines.

Each team's job is to keep their site up while simultaneously trying to knock other teams off of the network. Each site uses two machines with two different operating systems: Redhat 8 and Windows XP professional.

Needless to say, we checked the security and hacking sites several times a day to make sure to be aware of new exploits creeping out.

Hack sessions were "anything goes", we basically progressed from larval stage (script kiddie) to juvenile (perl, java and C based exploits.

No one wrote any new exploits this time around, but a whole new batch of wet-behind-the-ears "hackers" are released from this univeristy every semester.

Of course, the purpose of the class is to create an environment where teams can learn about security by practicing the arts of the "Black Hat". It was surely the most fun I have had yet in the university.

Re:They might be accused...

[Tony-A]

the perceived "skill" required to write a virus is blown way out of proportion.

But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.

About time

[tyagiUK]

It's about time CS students got back to learning some proper programming languages, methods, algorithms and system-level understanding. Having seen numerous UK Universities go from teaching assembler and hardware-level courses to being a middle-of-the-road Microsoft house, I think this type of course can give students a true understanding of the systems with which they're working. I just hope they're not only concentrated on .Net viri built using a template "virus wizard". -- Core Wars should be part of every curriculum!

Re:Studying viruses is important

[sam0ht]

I completely agree. I think anyone who knew about these capabilities within Outlook, should have been able to predict the problems in advance too. When a friend discovered the same capabilities in Lotus Notes, he certainly did. (this was before the run-on-open outlook stuff).

If more people actually tried to look forward and think what loopholes might be exploited in the future, rather than merely reacting, we might be able to secure more business software pro-actively rather than reactively.

Skilled viruses & Quarantine labs...

[bourne]

But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.

Readers who find this idea interesting may want to read This Alien Shore [amazon.com] by C.S. Friedman. While it's nothing relevant to current technology, it describes an interesting scenario of a well-written virus, and describes it from the point of view of both an untrained "cracker" and a schooled, skilled, & specialized "security specialist."

Our school has thought this for a few years in US

[Anonymous Coward]

This is nothing new... Portland State University has tought a virus class for several years.

It is one of the more demanding classes in cs. In past classes students have even been able to have their programs battle it out in a sandbox to see who's virus can spread faster and kill the others.

Oh and the "Little Black Book"? Yes, that is the textbook for the class. :)

The Canadians are copycats. ;)