Students Learn To Write Viruses 276
snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."
Penetrate even the best antivirus software? (Score:5, Interesting)
Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?
Old News (Score:5, Interesting)
Virus writing was part of my assembly & architecture class circa 1990.
Re:So what? (Score:3, Interesting)
What companies? Would they want to work there anyway?
Spot on! I mean, why work for a security company, when you can work for a government? Isn't that what this guy is going to do [bbc.co.uk] in new zealand?
... failing a government contract, why not just 'make' your own money using your newly found l33t haxx0r skillz from school?
and
Re:"We've Changed this Game" (Score:5, Interesting)
I used to write viruses. Evading anti-virus software was sort of like the testing//tweaking phase of software development -- "oops, mcafee flagged it as suspicious, let me modify this line of code here, this one here... ahah, fixed".
The truth is, anti-virus technology hasn't significantly changed since the DOS days. It's all about heuristics, pattern-matching, and behavior-preventing. It's trivial to evade these technologies.
Re:Hostile Authorities (Score:5, Interesting)
You can get cracking techniques from loads of places, this guy's teachings is old news.
Is there, or should there be a line to education? (Score:2, Interesting)
So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?
Re:Oh Joy more spam (Score:2, Interesting)
What about martial arts.. (Score:4, Interesting)
Just because you can possibly use some skill to be evil doesn't mean you shouldn't learn it.
It's like a saying police shouldn't know any martial arts or learn to shoot a gun because they could use the skills to kill someone.
Should be mandatory (Score:3, Interesting)
Re:They need BOTH! (Score:3, Interesting)
I've proposed this:
https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
3rd party code should say what it is and what sandbox template it requires to run.
If the requested sandbox is in line with what the code claims to be, and "what it is" is what the user wants, then the user can decide to allow it.
The O/S then sandboxes the code according to those privileges.
Expecting users or software to identify good code from bad code is similar to expecting them to solve the "Halting Problem".
With my suggestion, it is a lot easier to train users to understand that a "Paris Hilton Video" which requires "Full System Privileges" is likely to be malware.
Whereas a "Cute Game" that requires "Guest Game Privileges" should be OK and since the O/S sandboxes it, there's little the "Cute Game" can do - it should not even be able to access the user's Documents (which unfortunately is possible in most Desktop O/Ses today - almost anything the user launches can access the user's documents, microphone, webcam etc).
Re:Social Engineering VS Computer Sci (Score:3, Interesting)
Also, keep in mind it looks better on your resume than a fine arts degree.
Sonoma State security class (Score:1, Interesting)
I go to sonoma state, Mr. Ledin is an awesome teacher, but it is true that many of the local tech companies have blacklisted the students in the class.
Re:Good (Score:3, Interesting)
You're right when you say that the ploy used 3 months ago is worthless today. Teaching someone to abuse the LSASS or RPC exploit used by Sasser and Lovsan, respectively, is about as useful as knowing how to code with punchcards. It was highly useful in the ol' days of yore, but when you tell someone in the field with pride that you can do either, they'll at best snicker at you.
There are, though, techniques that are still useful because they cannot be patched. Mostly because they are working as intended. It is still possible to run malware inside another process, that's a wanted behaviour. It is still possible to create low level malware drivers, for the same reason. So teaching those does make a lot of sense.
I also can't agree with the firefighter analogy. It's more like teaching a designer for locks how lockpicking works. To design the better lock, you have to know how a burglar tries to defeat them. You have to know what ways exist to get malware into the system to know which points you have to harden to raise that bar for the invaders.
I wouldn't concentrate on any specifics, though. That would be more like handing out fishes instead of teaching to fish. Specific information is outdated the moment you learn it, because it was current when your teacher learned about it, and 3 months is a long, long time in that field. What was state of the art a year ago isn't too interesting anymore today. To make the teaching efficient, you have to steer clear of anything too specific for a given attack. The theory, the basic idea behind an attack, is more important than any practical application. Teach where systems are vulnerable, and what vulnerabilities cannot be closed easily because the system depends on them. Then start thinking of ways how to seal them as good as possible.
Re:Old News (Score:5, Interesting)
Back when the Morris worm hit in '88, I was teaching assembly language. We'd spent the whole day on the worm (making sure it hadn't planted or destroyed any files on our machines) and I didn't have a lecture prepared by class time. So I told them I'd explain the worm instead but that they could leave if they wanted since it wouldn't be on the exam. Our topic the week before was how the stack was changed during function calls so they already had the background. No one left and I got the pleasure of watching faces light up around the room as it dawned on people where my explanation was going. Ah, those were the days...
Devon
Re:What about martial arts.. (Score:3, Interesting)
students shouldn't learn to write viruses because it is a poor way to learn information security
I don't agree. It would be a poor way if it was the only way you learned, however it's acutally an excellent lesson for students who would otherwise fail to recognize just how easy it is to do and just how unprotected they are by software AV solutions.
Sometimes the best way to teach something is to immerse the student in it... and even better is to show them the other side of things.
Your statement is like saying that taking classes in breaking software (unpredictable behaviour) is a poor way to learn to test software. The more intimately you understand the threats, the better you can protect against them.
Besides... a class like this will breed a bunch of new Linux users cuz they will realize how easy it is for their windows machines to be pwned.