Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Education

Canadian University to Begin Training Hackers 379

torok writes "According to an article at The Edmonton Journal, The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab. Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"
This discussion has been archived. No new comments can be posted.

Canadian University to Begin Training Hackers

Comments Filter:
  • by Anonymous Coward




  • Hacking ethics (Score:5, Interesting)

    by ciroknight ( 601098 ) on Thursday May 22, 2003 @08:47PM (#6020206)
    I just read a good article on this too. Apparently, if we train hackers at a young age, we can control them, and get much more work done. Read the article at http://www.cs.berkley.edu/~bh/hackers.html
    • Re:Hacking ethics (Score:5, Informative)

      by boredMDer ( 640516 ) <pmohr+slashdot@boredmder.com> on Thursday May 22, 2003 @08:51PM (#6020237)
      For those of you blindly following that link and getting 404's or similar, here's both the corrected version (Berkeley is spelled w/ 3 e's) and in link form -
      http://www.cs.berkeley.edu/~bh/hackers.html [berkeley.edu]
    • by op51n ( 544058 ) on Thursday May 22, 2003 @09:48PM (#6020589)
      Disgruntled Professor in said subject goes insane (but his inherent humanity remains for later purposes in the script, naturally) and writes a virus that will 'bring down the planets computing power'. Former student and star of the class is brought in (obviously from somewhere and time at which they for some reason cannot face computers (possibilities: severe RSI, Epilepsy set off miraculously by 65-85Hz screens, Blindness...) to defeat the mad professor, before the final showdown with badly executed profundities.

      And all the computer scenes have to use a bizarre and unique 3D styled UI, that looks wholly unusable, and slightly, if not completely frustrating.

      Geee, I can't wait *lays on the fake exuberance*. These things always happen when something becomes more mainstream.
      • Former student and star of the class is brought in (obviously from somewhere and time at which they for some reason cannot face computers (possibilities: severe RSI, Epilepsy set off miraculously by 65-85Hz screens, Blindness...) to defeat the mad professor, before the final showdown with badly executed profundities.

        Nah, the former star student would be in jail and would be released a la The Jackal to catch the mad professor. Then they would let him "disappear" only to find him later at a cybercafe dead
  • by MattCohn.com ( 555899 ) on Thursday May 22, 2003 @08:48PM (#6020208)
    I'm sure they will be ACCUSED of it, but I think everyone here sees the real reason. How can you know how to secure your systems if you don't know what the virus writers are doing?

    And I'm sure that a select number of people will use this information maliciously, but everything comes at a cost. I don't think it would be a good idea if no one but the 'bad guys' knew how to write a virus, because then no one but them would know how to keep their systems secure from them.
    • by caouchouc ( 652238 ) on Thursday May 22, 2003 @09:18PM (#6020443)
      As a software engineer, I have to say that the perceived "skill" required to write a virus is blown way out of proportion.

      There's nothing inherently special about a virus or a worm. They're actually very simple, and most malware writers today are not very talented. They produce bloated, barely functional software (scripts, for the most part today) that is only dangerous because the average user is so trusting. I remember when viruses were actually smaller than the files they infected...

      Got coders in your firm? If they're capable of writing inter-operation layers for your apps or database frontends, then they're capable of writing viruses and worms far worse than bugbear. But chances are they don't, because it's a waste of time.

      Those students don't need specialized virus-writing courses. A simple assembly course would put them lightyears ahead of the "bad guys" if they actually paid attention for once.
      • by Tony-A ( 29931 ) on Friday May 23, 2003 @02:26AM (#6021855)
        the perceived "skill" required to write a virus is blown way out of proportion.

        But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.
        • But how do we protect ourselves when people with skills start writing malware? Methinks the main advantage would be a quarantined lab environment where the dynamics of propagation could be studied.

          Readers who find this idea interesting may want to read This Alien Shore [amazon.com] by C.S. Friedman. While it's nothing relevant to current technology, it describes an interesting scenario of a well-written virus, and describes it from the point of view of both an untrained "cracker" and a schooled, skilled, & spec

      • by Saint Stephen ( 19450 ) on Friday May 23, 2003 @04:16AM (#6022140) Homepage Journal
        The fact that most viruses are so simple should scare the hell out of you. All virii to date just rely on the hosts ignorance -- the virus writer knows something the host doesn't. Plus, even the worst attacks are just annoyances. You haven't seen a really evil virus.

        Like, what if the next virus directs all the modems to dial 911 at the same time, and coordinates that with a real world terrorist attack?

        I use the analogy that current virus writers are like Palestinians strapping bombs to themselves and blowing themselves up -- any fool can do it, you just have to sneak past. You haven't seen the Al Quaeda of viruses yet.
      • There's nothing inherently special about a virus or a worm. They're actually very simple, and most malware writers today are not very talented.

        Then we need to get some good HOWTO's and code examples of how to write more sophisticated viri out there.

        First, most viri use a single attack vector. That is, they use only one means to spread. What if a single program could use multiple different exploits? Any exploit that was effective would allow the program to spread.

        Even better, imagine, if the pr
    • Most of the reason why viruses work are not becuase there is some inherent genious in writing viruses but rather because the operating system in conjunction with the user promotes an environment in which viruses can spread. I think instead of taking a virus writing class to find out how to secure software they should take a class on writing secure software. virus.bat: @echo off echo "Please send this to all your friends before proceeding." echo "Press any key when you have sent it" pause echo "Loading supe
    • by ryanr ( 30917 ) * <ryan@thievco.com> on Thursday May 22, 2003 @09:58PM (#6020650) Homepage Journal
      You don't secure systems against viruses. You have to secure people against them. They're a behavioral problem. A virus doesn't need any kind of flaw to propagate, it just needs a trusting person. You could write a bugless operating system, and as long as a regular user can use it to get useful work done, then the same user can also infect it through neglect, ignorace, or maliciousness.
  • Crackers (Score:5, Informative)

    by ramzak2k ( 596734 ) * on Thursday May 22, 2003 @08:48PM (#6020212)
    Crackers, not hackers.
    I understand this is a losing battle but lets not get it wrong on slashdot.
    • Re:Crackers (Score:2, Informative)

      by McAddress ( 673660 )
      They are most certainly hackers, not crackers. They are learning about the knowledge in a safe lab, as not to cause accidental damage, for a useful non-malicious purpose. That is a lot better than many of the current experts on these issues.
      • Re:Crackers (Score:4, Interesting)

        by ebbomega ( 410207 ) on Thursday May 22, 2003 @10:00PM (#6020657) Journal
        Yes, but on that note, Canadian universities have been teaching hacking for ages. In fact, it's the cornerstone of a Computing Science degree.

        I know it's a semantical argument over words, but for crying out loud, "hacking" wasn't even strictly computer-related in the first place.

    • I actually think the battle is lost. The word has changed meaning due to popular usage. I guess this is how the Spam people felt.
    • Re:Crackers (Score:5, Insightful)

      by RobotRunAmok ( 595286 ) * on Thursday May 22, 2003 @09:10PM (#6020379)
      losing battle

      Lost, son. Circa 15 years ago. Woulda helped had we picked a word not already firmly ensconced in both the vernacular (thin biscuit) AND slang (narrow-minded Southern whitey) simultaneously. 'Cracker' never stood a chance; teenage cabals can *suggest* lanaguage, but it's up to the media to bless it and disseminate it.

      Just let it go. As a geek patheticism, insisting on the use of the word "cracker" over "hacker" is starting to rank up there with wearing one's plastic Vulcan ears out in public.
    • How did this get modded insightful? First of all, the true definition of a word goes by the general public, not by a random website quoted under a post. I think dictionary.com [dictionary.com] is a little more authoritive on the definition of a hacker than Olga Grinberg [grinberg.net]'s public space on the internet.

      Sure, hackers are enthusiasts, however this also includes those who are enthusiastic about writing malicious code. Don't be lame and think that just because you don't agree with twelve year old script kiddies using the word yo
    • Crackers, not hackers.
      Ummm...Are you just saying that because you've heard it said?

      The University of Calgary is going to start teaching select computer science students to write software viruses in a special new disconnected lab.

      Is there anything in there at all that in the slightest way implys cracking? Specifically: "Write Software" and Disconnected Lab"

      I don't like it when vandalist script kiddies call themselves hackers any more than the next guy, but these students wil be taught to be hardcore so

    • Re:Crackers (Score:4, Funny)

      by Dylan Zimmerman ( 607218 ) <<moc.xoblaerym> <ta> <namremmiZ_boB>> on Thursday May 22, 2003 @10:47PM (#6020922)
      I like pclminion (145572)'s response to this.

      From post #5336611

      "Let them refer to crackers as 'hackers.' We'll just switch to referring to hackers as 'gods.' ;-)"
  • Just tools (Score:3, Insightful)

    by IronBlade ( 60118 ) on Thursday May 22, 2003 @08:48PM (#6020213) Homepage
    The fact they are learning the hows of a skill does not mean they will use the skill maliciously.
    In fact, when educated, most people will use their powers for good, not evil.. :)
    • Re:Just tools (Score:4, Interesting)

      by TeknoDragon ( 17295 ) on Thursday May 22, 2003 @09:18PM (#6020436) Journal
      yes... there are probably many schools in the US doing this...

      In fact I took an Information Warfare class and one of the options for a final project was virus writing.
      • Re:Just tools (Score:4, Informative)

        by Sherloqq ( 577391 ) on Friday May 23, 2003 @04:41AM (#6022191)
        [...] there are probably many schools in the US doing this [...]

        There are also some schools [upenn.edu] out there that will let you propose a course, provided that:
        - the subject is educational
        - you find more than the minimum required number of students
        - you find someone to teach the class

        [...] I took an Information Warfare class [...]

        Funny you mention that, so did I -- at the aforementioned school. Officially it was called "Computer Ethics", but we've learned a lot about breaking into computers as well. There was even this one guy there, whose name eludes me for security purposes, who looked to be in his 30s at the time and who claimed to have worked for the gov't and was getting his masters at the time, IIRC. At the end of the semester the class got divvied up into groups for a project/presentation, so I made sure I was in the same group as he was. I've learned of a few neat tricks that the gov't was able to do with their technology, though no specifics (for obvious, classified reasons), like being able to pick up EM radiation from a monitor cable and reconstruct the video -- from a few hundred feet away.

        But getting back on-topic... if there's a will, there's a way. If students are interested in learning something the school doesn't offer, they should try rallying up support from both their peers as well as the professors to have courses offered.
        • Re:Just tools (Score:3, Informative)

          by Idarubicin ( 579475 )
          I've learned of a few neat tricks that the gov't was able to do with their technology, though no specifics (for obvious, classified reasons), like being able to pick up EM radiation from a monitor cable and reconstruct the video -- from a few hundred feet away.

          This isn't just something the government can do--this is something that a dedicated amateur can do with a little time and money. In addition to some expertise, you will need the following equipment [sfsu.edu]:

          • A good commercial wide band radio receiver prefe
    • In fact, when educated, most people will use their powers for good, not evil.. :) ...and then, a select few will use them for Awesome.

    • In fact, when educated, most people will use their powers for good, not evil.. :)

      Yes, until they have a power trip, turn to the dark side, turn against their former masters, then go on a wear-only-black-and-conquer-the-galaxy binge, only to be struck down by their own son, who they were trying to turn evil at the time.

      Getting 0wn3d by your own son is bad enough, but it's somewhat more humiliating when you open your son's email only to get a nasty VB worm that pops up a message saying "h4x0r3d by j00r k1d
  • by Jacer ( 574383 ) on Thursday May 22, 2003 @08:49PM (#6020220) Homepage
    You gain a certain understanding for certain things when you're "at the wrong end of a telnet session" A lot of that knoweldge can be used for protecting against the same exploits. If they're writing viruses, maybe instead of having a definition file for each virus that has to constantly be updated, they could author some detection scheme that monitors for activity that is like a virus, or certain function within the code that can be stopped much simpler than the current methods
    • "they could author some detection scheme that monitors for activity that is like a virus"

      Hueuristics, anyone? (Yes, I horribly butchered the spelling of that word, I know.)
      Granted, that sort of technology is somewhat prone to false alarms, but we have it. We just need to work on improving detection techniques and and reducing/eliminating false positives..
  • I wonder... (Score:5, Funny)

    by jarodss ( 243400 ) <mikedupuis79NO@SPAMhotmail.com> on Thursday May 22, 2003 @08:50PM (#6020227) Homepage
    will this be offered as an online course?
  • by Triv ( 181010 ) * on Thursday May 22, 2003 @08:50PM (#6020228) Journal
    Will Canada be accused of training the world's next generation of cyber-terrorists... or peacekeepers?"

    Oh! Oh! I Know! Is it...terrorists?

    • canada has always had an amazing real Peackeeping force, perhaps this is the beginning of a virtual peace keeping force.

      • canada has always had an amazing real Peackeeping force, perhaps this is the beginning of a virtual peace keeping force.

        The Mounties? I shudder at the thought of a burly man, sitting in his underwear in front of the computer, wearing a mounty hat. We must think of the cost of keeping the peace, and decide if it's worth that cost.
  • Not a big deal... (Score:4, Informative)

    by BrynM ( 217883 ) * on Thursday May 22, 2003 @08:51PM (#6020235) Homepage Journal
    Universities have been studying this [google.com] informally for a long time. It's just finally been made official somewhere. Besides, we've been studing warfare [google.com] and weapon making [google.com] for a long time.
    • Re:Not a big deal... (Score:3, Informative)

      by jc42 ( 318812 )
      Universities have been studying this informally for a long time.

      Well, I was wondering if I'd have to be the one to point this out.

      In the early 70's, I had several CS courses that went into the topic. This included both studying some known examples and writing new ones for some of the available campus machines. It seemed like a reasonable thing for a computer course to study.

      I mean, imagine a course of study in other kinds of engineering in which you never studied how things could fail or be sabotaged.
  • Pleased (Score:5, Interesting)

    by ramzak2k ( 596734 ) * on Thursday May 22, 2003 @08:52PM (#6020240)
    I am pleased at such a course and fail to understand why I it has not been taught in other universities so far. While someone could
    argue that it is the wrong sort of training that could lead to rise of new generation of script kiddies, I would argue the other way round. There would be more people who would know exactly how these things are engineered & have greater understanding to build more secure systems with that understanding.

    Fearful view of disseminating such information only feeds censorship. And we all know how well that works.
    • ...could lead to rise of new generation of script kiddies

      I think that maybe, if you have a college degree, it's safe to assume you're a little more than a script kiddie.

    • While someone could argue that it is the wrong sort of training that could lead to rise of new generation of script kiddies, I would argue the other way round.

      Don't forget that those are the same people that claim that the reason we have so many kids with guns is because the Boy Scouts teaches marksmanship. I am in total agreement with you that when you teach someone how to properly utilize a dangerous tool they will have more respect for it. Of course, you will always have abusers, but there is much

    • Re:Pleased (Score:4, Informative)

      by po8 ( 187055 ) on Thursday May 22, 2003 @11:48PM (#6021211)

      At Portland State University, we've been teaching a virus course in a "disconnected lab" for several years now. I was surprised that the Calgary course is big news---I imagine other institutions have been doing this as well.

      (Disclaimer: I am speaking for myself and not in any official Portland State University capacity. Not that you thought I was.)

  • Here is the list of undergraduate computer science courses [ucalgary.ca] offered by the University of Calgary.
  • by Anonymous Coward on Thursday May 22, 2003 @08:52PM (#6020250)
    close the borders! Canada has been found to be harbouring IT terrorists and thier weapons of mass destruction (Winblows XP). Prepare for invasion and removal of despotic government! Who cares if no one finds WMDs, America has been wanting Canada's vast quality beer reserves for some time now. Call General Franks and Beans!
  • Resume (Score:5, Funny)

    by phorm ( 591458 ) on Thursday May 22, 2003 @08:55PM (#6020271) Journal
    But... somehow I have a problem seeing this net me a job on my resume:

    • Virus Creation
    • System Cracking
    • Advanced infection techniques

    While I realize the above skills may not be entirely useful for the position described, I have noted that you do have an internet connection to your primary server via IP address Would you like me to tell you your root password during an interview, or should I be ready work at 8:30am tomorrow?
    • Re:Resume (Score:2, Funny)

      by Anonymous Coward
      Uh, I don't know about the folks you work for, but in my experience this goes like:

      Me: "I have noted that you do have an internet connection to your primary server via IP address Would you like me to tell you your root password ?"

      Them: "Oh really? Can you fix my Microsoft Explorer? It won't come up."

      Me: "But, if I can get in, anyone else can too!"

      Them: "That's okay, there's nothing important on my computer!"

      Me: "But they could launch an attack on other computers, they could get personal
    • Don't laugh .. how many people out there have a job because of something similar!!!
    • Re:Resume (Score:5, Interesting)

      by freeweed ( 309734 ) on Thursday May 22, 2003 @09:52PM (#6020608)
      I know this is intended to be funny, but I think people would be surprised at just how good this can look on a resume.

      I did an internship with one of our government departments, involving 'security research'. Sure, an hour a day was occupied reviewing firewall/IDS logs, but the rest of the time was spent developing and testing exploits. It was a hell of a lot of fun, and I gotta tell you - I have a deeper understanding of the TCP/IP protocol suite than anyone in their right mind could want, I can code shellcode in my sleep, and writing a self-modifying virus that evades most signature-based scanners is something far from impossible now.

      I gotta tell you, the right employer drools at this, because it's not something a person picks up in school, and the vast majority of people that know anything about it are really no more than glorified script kiddies. When it comes time to harden a system WELL, or set up an IDS so that it's actually useful, or write a virus scanner that will actually work 2 days after it's released onto the market... it helps to have a clue what you're doing.
  • hype (Score:4, Interesting)

    by DarkSkiesAhead ( 562955 ) on Thursday May 22, 2003 @08:57PM (#6020284)

    maybe it's just me, but this article has a rather tabloid-esque sensanionalist feel to it. where did they get the figure of $1.6-trillion of damage done by viruses? that's just not believable. then they quote unspecified "experts" and refer to vaguely conspiratorial theories of government-hired hackers in a "secret laboratory".

    basically, they are printing a new course announcement and mixed it in with a bunch of hyped up BS in order to make it look like a real article.
    • Re:hype (Score:5, Funny)

      by Timesprout ( 579035 ) on Thursday May 22, 2003 @09:01PM (#6020323)
      where did they get the figure of $1.6-trillion of damage done by viruses

      I was out sick for 2 weeks a few months ago with a virus so that explains a lot but I'm dammed if I know where they got the other half trillion from.
    • I think they count "Security Software" and companies like Symantec and Cisco Systems under this number, which greatly skews their numbers. Most great antivirus companies happen to be great computer repair companies and offer software that helps recover data from crashed hds, patches holes in operating systems, and otherwise keeps the computer clean. So yes, this number is greatly inflated, but getting a nice clean figure would be next to impossible otherwise.. plus it's good journalism to use big numbers,
    • I couldn't say if it is, but that sounds like a reasonable number... We had virii rip though the office about 4-5 times a year at my last job, and the whole network would be down for the better part of a working day. $25/hr * 8hrs * 80ppl = $16,000 in paying employees to hang out at the water cooler, not to mention the loss of business revenue. And that's just one medium-small business. If 100,000 similarly sized businesses had one day like that a year, there's your 1.6 trillion.
  • hacking for dummies (Score:2, Interesting)

    by MrDelSarto ( 95771 )
    you know, I've been working through the idea of a "hacking 101" course for pre-university students. Think about the concepts to you need to understand how to write a "simple" stack overflow ; all about how programs execute, how system calls work, machine language, probably network programming. Let alone the actual C and ASM hackery skills. More advanced hacks like infecting dynamic libraries etc require even more knowledge. By the end of it, you'd come out at least knowing if you liked computer science.
  • Don't overreact (Score:5, Insightful)

    by Mossfoot ( 310128 ) on Thursday May 22, 2003 @09:00PM (#6020318) Homepage
    After all, by studying how viruses are made, you can better understand them and thus make better anti-virus software. The kids going here are not going because they want to learn to be L33T cyber hackers or whatever, but knowing the tools of the trade (white and black hat) will help them in the computer programing/protection field.
  • You have to consider any methods of writing virus being taught at a university are without a doubt outdated and easily detected... Any who are able to take this information and progress it into a difficult to counter virus is intelligent enough that with that as their agenda they would have learned on their own anyway.
  • peacekeepers (Score:3, Insightful)

    by tarzan353 ( 246515 ) on Thursday May 22, 2003 @09:07PM (#6020358)
    No matter what path they choose, whether to be malicious hackers or peacekeeping notify-devs-before-it-gets-noticed types, the end result will be the same: better code.

    Now if only we can get MS to believe what us open source folks have been saying for years!
  • by cdn-programmer ( 468978 ) <terr@terralMENCKENogic.net minus author> on Thursday May 22, 2003 @09:10PM (#6020373)
    I live within walking distance of this university and I am a professional developer and have been for a number of years. Last fall I contacted their IT people and asked if they have any courses on C++ cross platform development. (Rightly or wrongly I elected to use wxWindows and C/C++ from now on - but I still ahve a lot of legacy code of course).

    I was suprised at the raw nerve I seemed to have hit with the prof I was speaking to because she became somewhat defensive.

    My position is that if we for instance go to sourceforge and check the projects that we will find that C/C++ is perhaps the most popular language for these projects. If I look at my development requirements my conclusion is that C/C++ is THE ONLY viable languge I would even consider using! In my career I have programmed on over 13 platforms and I have used over 13 languages - many of which are now obsolete. I don't think I am biased towards C/C++ or say biased away from say Java. I have my career and at this point in my life I am managing it! I encourge all other programmers to do likewise. What this means is that for me - if a client asks me to program in VB, Java, etc. my answer is that I will NOT take on the job.

    Given my strong feelings that C/C++ will be here for the foreseeable future - I find it totally ironic that the U of "C" doesn't even teach "C".

    As such - I consider them rather irrelevant.

    Furthermore as it turns out I was at the OpenBSD hackathon BBQ last weekend and made the point of asking the hackers how much Java there is in OpenBSD. They laughed. When I asked about C++ they were a little more serious and consided that perhaps there is some somewhere.

    So I commented to them that the Uof"C" doesn't teach "C" and was actually quite surpised to hear one chap pipe up that his company doesn't hire UofC IT grads.

    I think this is a really sad testiment to the department actually. My opinion is that they have a strong Java / M$ bias and I think this is rather sad. Just MHO...


    BTW - these comments should not be construed to critisize Ruby, Python, Perl, Bash, PHP etc. These langages all have their place and I use some of them. My comments are about the use of C/C++ for general purpose applications development where you might end up with 50,000+ lines of code.
    • This is, in fact, the case at many universities. The U of P, birthplace of ENIAC, teaches (this may change soon, apparently) O'Caml (a branch of ML) in the first semester of intro to programming. Talk about useless, perhaps, but the idea is not to teach just technical proficiency (something easily learned at a local community college) but to teach theory. O'Caml teaches recursion and functional programming well, and levels the playing field for those who have and have not had C/C++ in high school.


      • "the idea is not to teach just technical proficiency (something easily learned at a local community college) but to teach theory."

        I am about to graduate, and I am severly pissed at my university for just teaching me "theory." If they would have taught all the classes in C or Java, instead of an obscure, unused language, then I would actually be able to claim a high level of proficiency in a language on my resume. As it stands, I am now very good at the language my Uni uses to teach, but that is worthless o
    • by freeweed ( 309734 ) on Thursday May 22, 2003 @10:00PM (#6020660)
      University isn't about training coders. That's what college is for.

      A Computer Science program at any (Canadian) University worth its salt has maybe 3 or 4 programming courses, and the other 30+ are algorithms, databases, networks, algebra, AI, operating systems, distributed systems, parallel systems, real-time systems, security, automata, digital logic, data structures, software engineering, graphics, instruction set architectures, compilers, professional ethics...

      Note that any and all of the above are (relatively) language-independent. A CS student should be able to pick up a new language in a matter of days/weeks - but CS is not about syntax memorization.
    • by dghcasp ( 459766 ) on Friday May 23, 2003 @02:22AM (#6021846)
      Disclaimer: I'm a U of C grad, but I graduated in 1993.

      At the time, U of C didn't teach C either. Students were expected to be able to learn "C" on their own by third year, since they'd already been exposed to three or four different programming languages from different spheres. Once you were in third year, you could, for the most part, do your projects in whatever language you wanted, as long as the TA knew the language. Most students did their projects in C.

      As well, the first year courses almost always used languages that students were unlikely to have encountered ever before. This helped level the field between the people who were "xc3113nt C h4x0rz" and everyone else. Everyone started from first principles in functional programming.

      By the time I'd hit third year, I'd had courses where the language of choice were Pascal and Modula/2 from the "Von Newman" sphere, ML from the functional sphere, and PDP-11 assembly (was being replaced with SPARC assembly at the time) from the low level sphere.)

      By the time I'd graduated, I'd added courses that required languages based on category theory (Charity) and one based on primitive recursion (it only had zero(), succ() and recurse(x,y) functions and you had to define the whole rest of the language yourself based on those.) If I'd taken different courses, I would have been exposed to Lisp, Prolog, SQL, etc.

      The theory behind all this was they wanted to teach you different ways to think about problems, not just how to pound in a solution in C. People who just wanted to learn to code in C, be able to say they were a "programmer" and go on to a career went to SAIT or DeVry.

      Pick any academic program and you'll find people who think something is "missing" or can be "better." That's why they evolve over time. The main flaw I found with the U of C program (IMHO) was that the only course that really required you to deal with a large project (CPSC 510, full year, write a compiler from scratch) wasn't a mandatory course.

      But I'm glad I got my degree from U of C. And I'm not crippled in my ability to work in C/C++ because I never took a half-year course in it.

  • From the article:

    "The first official virus was in 1986 that someone was able to trace back to the perpetrators, which were two brothers in Pakistan," Seneker said.

    They were easily traced because they embedded their names and address in a virus.

    Or maybe this would be a course on how to avoid mistakes of the past...First lecture reminder: "DON'T write your names on the homework you turn in

  • sorry.

  • The course is open to 16 fourth-year students who must work under strict conditions in a secure lab cut off from Internet and cell- phones.

    I can see the no internet connections, but no cell phones? I can't think of any viruses that travel over cell phone networks and I think it would be simple enough to ensure that they can't transfer anything to their cellphones so they can't email themselves programs. Also other than containing any viruses let loose in the lab I don't think you can do anything other
    • If the machines weren't properly locked down, a tiny USB Bluetooth adaptor could be attached to the computer, and the right cellphone could be used (while still in its owner's pocket or bag, out of sight) to establish an alternate internet connection and spread the virus that way.

      Admittedly, you'd need some pretty inattentive instructors to not notice someone dicking around with the network settings on their machine, not to mention installing Bluetooth drivers-- but less likely things have happened.

  • by rice_burners_suck ( 243660 ) on Thursday May 22, 2003 @09:23PM (#6020461)
    I think this is a good move, but not for reasons that someone (who would mod this Funny) might think.

    One of the largest problems in the software business and the computer industry as a whole is an utter lack of knowledge. For some reason, I doubt that a field like, say, structural engineering would contain so many people who don't know jack. Buildings would collapse left and right. They don't, yet in computer jobs, there are hordes of people who make Windows applications by dragging shiny objects onto a pretty grid, fill in some properties, and call it programming. Lots of folks are taking computer science courses at the local community colleges, yet they don't seem "the type" to do this sort of work. (Indeed, I saw one girl studying at the local library... she was highlighting just about every sentence in a text about different types of loops, and she obviously wasn't "getting" it.) Why is this?

    There are many programmers who "get by" by writing cheesy code (with as many holes in it as Swiss cheese). The problems caused by this lack of expertise are enormous. Billions of damages are caused to businesses every year because of computer failures. Many of those failures are due to bugs in software. Many are due to security problems. How can the problem be solved? Passing legislation that makes it illegal to discuss security problems won't solve the problem. There would be "underground" discussions of these things, and the crackers would freely share information that law abiding folks won't. Crackers will break into systems more easily than before the legislation and businesses will be slow to react, causing more damages. It would be the computer equivalent of making guns illegal to law abiding citizens. (After all, the criminals are above the law anyway. If someone is so inclined as to murder people, what difference does it make if some silly law says he can't have a gun?)

    The unskilled programmers (who don't even like this work) should stop dreaming of getting rich quick. However, the programmers who are skilled should expand their skills in every direction possible. Certainly, each programmer should focus on the things he does best in order to be more effective at those particular skills, but there is nothing like experience in different types of programming to make someone flexible in this field, creating job security and expert authority. Perhaps a game programmer should try a small database job. Or a database programmer should try hacking some small feature into an operating system kernel.

    Viruses are a legitimate subject of study. By teaching viruses, universities will give people a lot of power. Some will undoubtedly use it for evil, and we'll get some new viruses out there. But this would happen anyway.

    Who, for example, are the best security consultants when it comes to credit fraud, insurance fraud, computer fraud, etc.? The perpetrators! There are examples of folks who committed all kinds of crimes and went to prison. Afterwards, they became "white-hat" consultants in their fields, teaching banks, governments, businesses, etc. how to protect themselves from people just like the consultant. They often make more money by teaching this knowledge for purposes of good than they did by committing the fraud in the first place. In other words, if you have experience with performing some act, then you undoubtedly know more about what makes someone vulnerable or safe from that act than any fool claiming to be a security expert.

    The advantage of teaching viruses, which heavily outweighs the disadvantage of misuse by a large degree, is that programmers who have experience with viruses--not just by removing them from friends' clutter-ridden computers but by writing them and finding out what is effective from a virus writer's standpoint--will be more effective at designing systems and writing software that is less prone to the evils of viruses.

    I think the field of Computer Science would benefit by teaching SPAM, cracking, and other forms of abuse in order that honest folks (nearly all of us) can protect themselves from the dishonest ones with the very same knowledge that makes the dishonesty so effective.

  • That's how I learned (Score:5, Interesting)

    by PetoskeyGuy ( 648788 ) on Thursday May 22, 2003 @09:23PM (#6020463)

    Anyone remember Mark Ludwig? I remember getting "The Little Black Book of Computer Viruses" and his other books. It contained excellent explanations of how programs work, COM, EXE strcutre and then how to use ASM to modify those programs. There were ever some polymorphic virus in there all with Source Code. His later books, The Big Black Book of Computer Viruses and Computers, Viruses and Artificial Life were all right, and discussed Alife ideas about the code really being alive in the "world" of the computer.

    I haven't read his latest book, The Little Black Book of Email Viruses: A Technical Guide [amazon.com]. I haven't thought about that stuff in a long time. It did allow me to find the ILoveYou virus and fix it at our company by quickly renaming the wscript.exe program since I learned to think about viruses in terms of what they needed to reproduce.

    Personally I think the Novell file security system would be an excellent way to combat viruses and other things. Read, Write, Execute, Copy, Modify and a few others all as true seperate rights. Pain in the but to configure, but very nice once it was setup

    Windows NTFS is a little better then just Read Only, Hidden, and System, but even the standard Linux RWX3 rights make me miss Novell. Anyone know if there is there a filesystem out there for Linux that has that level of rights?

    Personally I don't know if it's possible to have a secure system that that is still usable by the masses who just want to check there email and click OK on every message box that pops up. It's hard enough to secure things when you know what your doing.

  • Finally! (Score:3, Funny)

    by MongooseCN ( 139203 ) on Thursday May 22, 2003 @09:34PM (#6020515) Homepage
    This will let Bush make all those jokes about invading Canada become a reality.

    Wait, I meant liberate Canada from cyber terrorists.
  • by Tri0de ( 182282 ) <dpreynld@pacbell.net> on Thursday May 22, 2003 @09:37PM (#6020529) Journal
    The 'Eh?" virus coming our way.

    If America and Canada got into a war, where would all the draft dodgers go?
  • by teamhasnoi ( 554944 ) <teamhasnoiNO@SPAMyahoo.com> on Thursday May 22, 2003 @09:47PM (#6020574) Journal
    As I understand it, Canada is militarily weak. Why shouldn't they have a school for 'cyber-warfare'? It is one way that they could easily compete offensively - write a virus that takes guidance systems, communication, and perhaps some actual weapons (see American ship and Win NT) offline.

    This method would also be cheap in terms of raw materials. If you can threaten an attacking country with the destruction of their economy or failure of basic utillity systems, without having to mobilize a pile of troops, you're money ahead. Sounds like a plan.

  • Gun owners will argue that if your children learn to respect firearms, then they will be less likely to misuse them. Perhaps this will follow in the logic. But then again there is the "out of site, out of mind" theory as well.
  • by Frater 219 ( 1455 ) on Thursday May 22, 2003 @10:05PM (#6020689) Journal
    My job includes being the computer security guru for my workplace. In that role, it's my job to understand the way my clients' systems work, so that I can recommend effective operational ways to improve their security. It's also my job to understand the world of attacks -- not just keeping my ear to the ground regarding what kind of shit is going down at the moment, but understanding what attacks are possible, which are likely, and which are worthy of taking special defensive measures.

    I recommend strongly that anyone in a role like mine take some time to study viruses, exploits, rootkits, and other pieces of hostile code. These are a basic part of the security environment in the field. The more you understand the crap that the Net's rejects and crackheads are throwing at you, the better a job you can do.

    Here's just one example of what we can learn from viruses; a bit of an older example, so I'm not doing too much of your work for you:

    Let's say your client is considering a bonehead move -- like, say, deploying Microsoft Outlook enterprise-wide. Any security nerd can say "duh, Outlook sux0r, it's full of vulnerabilities, that's why it spreads viruses." However, if you have read the source code of the LoveLetter and Melissa viruses, you will realize (and can explain to your client) that these viruses do not exploit vulnerabilities at all -- at least, not in the sense of buffer overflows and other attacks which target bugs in software. These viruses don't crack anything -- they use perfectly ordinary, documented API calls. It isn't holes in the Windows Mail API that make it a virus breeding ground -- it's just its built-in, designed, intended functionality. That's why these viruses can still spread after years of bug fixes: their critical paths do not rely on bugs at all.

    What do we learn from these viruses? Security is not about patching bugs, or having bug-free software. It is about correctly modeling the trust relationships people have with each other regarding their computer resources, in software. The Windows MAPI's design implies an assumption that people want to entrust word-processing documents with the power to send hundreds of emails. That's obviously wrong -- and that, not any bug, is what must be explained to convince someone that Microsoft's mail software is a bad security choice.

    There are many more lessons to be learned by understanding hostile code. There are lessons about user interface design: many email viruses depend on getting the user to take some action (opening a message, running a macro, etc.) which unintentionally grants the virus trust and privilege (even the privilege to run code) that it should not have. To design secure systems for users, we must have user interfaces which do not promote such deception. There are lessons about system monitoring and the habits of sysadmins: Unix rootkits, which alter the system to conceal the tracks of an attacker, show just how easily a too-shallow maintenance or log-checking routine can be deceived. There are many lessons.

    Get yourself some virus source code. Google will help. Read rootkit code, and the analyses thereof which researchers on SecurityFocus [securityfocus.com] and other sites have published. Understand these attacks, and you will understand the systems they target better than you do now.

    • I completely agree. I think anyone who knew about these capabilities within Outlook, should have been able to predict the problems in advance too. When a friend discovered the same capabilities in Lotus Notes, he certainly did. (this was before the run-on-open outlook stuff).

      If more people actually tried to look forward and think what loopholes might be exploited in the future, rather than merely reacting, we might be able to secure more business software pro-actively rather than reactively.
  • by Brad Cossette ( 319687 ) on Thursday May 22, 2003 @10:40PM (#6020877)
    The instructor is Dr. John Aycock, and he's definitely one of the better instructors we have in CPSC. His focus is in compilers and OS's, and taught the 3rd-year OS class for I think the first time last Winter.

    He definitely has a strong security focus in his courses, and has one of the highest standards I've encountered in a prof regarding testing ( after turning in our implementation of an md5 hash as a system call in OpenBSD, he asked the class if anyone had tried testing with 1 Gb input strings. Just an example).

    There's another course with a similar bent - a 4th year SysAdmin course that's year-long and involves substantial network programming. I'm told that the instructors will take down the network during your examination, forcing you to fix things while still completing your test online. Past grads also like to hammer the servers the students setup.

    Personally, I'm glad to see these courses - most of these problems are things I've no clue about or would even think about how to prevent. Exposure is a start.

  • So am I a terrorist? (Score:4, Interesting)

    by rworne ( 538610 ) on Thursday May 22, 2003 @10:49PM (#6020936) Homepage
    My university here in California teaches a course similar to this at the 4th year undergrad or graduate level.

    I just finished writing my final exam (actually, a report) in the "Network Security" class. It was actually quite fun. The class is divided into several teams of 3 or 4 students and each team sets up an e-commerce site that is visited by an administrative team that logs successful transactions from their own machines.

    Each team's job is to keep their site up while simultaneously trying to knock other teams off of the network. Each site uses two machines with two different operating systems: Redhat 8 and Windows XP professional.

    Needless to say, we checked the security and hacking sites several times a day to make sure to be aware of new exploits creeping out.

    Hack sessions were "anything goes", we basically progressed from larval stage (script kiddie) to juvenile (perl, java and C based exploits.

    No one wrote any new exploits this time around, but a whole new batch of wet-behind-the-ears "hackers" are released from this univeristy every semester.

    Of course, the purpose of the class is to create an environment where teams can learn about security by practicing the arts of the "Black Hat". It was surely the most fun I have had yet in the university.

  • by Zork the Almighty ( 599344 ) on Friday May 23, 2003 @12:36AM (#6021472) Journal
    When they're on our side, they're called Freedom Fighters!
  • 10 years ago... (Score:5, Insightful)

    by dcollins ( 135727 ) on Friday May 23, 2003 @01:25AM (#6021673) Homepage
    Writing viruses was actually covered in the assembly language class I took at UMaine circa 1992, in the last chapter of the instructor-written textbook. The rationale in that case was that in informing CS students how easy it is to write viruses, they would no longer see them as technically impressive and therefore not be interested in pursuing their creation. (I just taught my first assembly class this past semester, and use this as an anecdote without actually covering it myself.)

    Since I have the text right here, I'll quote it: "...you do not have to be a genius to write a virus... Some people use virus writing to prove their programming skill, but this is poor proof of such skill in my opinion. It's about as much proof of genius as throwing a brick through a window."
  • by JohnnyCannuk ( 19863 ) on Friday May 23, 2003 @07:54AM (#6022611)
    "Know your enemy, know yourself and in a hundred battles you shall not lose"

    Sun Tzu :)
  • by SatanicPuppy ( 611928 ) <.Satanicpuppy. .at. .gmail.com.> on Friday May 23, 2003 @01:04PM (#6025054) Journal
    If you don't understand it, then your options in fighting it are limited. A noob running a blade cluster on a t3 line has only one option when some script kiddie takes over his system: unplugging it. Far from optimal.

    We have all this "anti-virus" software, but it is completely misnamed. If you get a flu shot, it's not an anti-virus, its a pallative. A weak shield against infection, not an active agent of protection. The same goes for the software that we currently use. I want to be able to unleash righteous nastyness against the damn viruses in my system, not poke around with fricking bloated software that's always playing catch up.

    Until we learn to beat them at their own game, then it will BE their game.

    Just my opinion.

Some people carve careers, others chisel them.