Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Students Learn To Write Viruses

samzenpus posted more than 5 years ago | from the mischief-101 dept.

Security 276

snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."

cancel ×

276 comments

Sorry! There are no comments related to the filter you selected.

zomg zomg first prost! (-1, Troll)

PeteyG (203921) | more than 5 years ago | (#24504955)

poop lol is the best thing in th world because i'm the pirst ferson to comment

Lulzaplenty!

Re:zomg zomg first prost! (-1, Offtopic)

Deltaspectre (796409) | more than 5 years ago | (#24504957)

First child post!!!

Re:zomg zomg first prost! (-1, Offtopic)

PeteyG (203921) | more than 5 years ago | (#24504971)

rofl you don't get teh karma bonus, you're already zero ZOMG HAHAHA

Re:zomg zomg first prost! (5, Funny)

Anonymous Coward | more than 5 years ago | (#24504995)

I love the smell of burning karma in the morning.

Smells like... victory.

Re:zomg zomg first prost! (2, Informative)

lgramling (1064562) | more than 5 years ago | (#24505069)

Why don't we try to get the LAST post in the thread. That way we don't have to look at your comment, and you still have the satisfaction of "winning".

Yes (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24504981)

first post is mine

Re:Yes (-1, Troll)

PeteyG (203921) | more than 5 years ago | (#24505007)

are you serious? i commented twice before your post came in.

learn2post rofl! nub

Re:Yes (-1)

Anonymous Coward | more than 5 years ago | (#24505057)

omg you are teh fast! do u have dsl or sumthing?
  sry i suck @ life so much lol

/afk suicide

speaking of penetration... (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24504983)

I just got back from a once-in-a-lifetime trip to old Havana. It's no secret that the Castro regime is desperate for hard currency (especially U.S. dollars). I'd also heard that the Cuban Ministry of Tourism was pulling out all the stops in a last-ditch effort to attract white upper class U.S. males (translation: disposable income) who were seeking nontraditional vacations.

Fellow members of the above target group, stop and think a bit about what you'd like in a no holds barred tropical vacation:
1) Smooth, aged in wood, dark rums for around $2 a bottle?
2) Absolutely stunning senoritas who do anything you want for $100 a night, or if you're on a budget, a first-class blow job for $20, no extra charge for a facial cumshot?
3) Primo Columbia flake cocaine at $500 per oz? This is absolutely fresh unstepped-on high quality nose candy -minimum 95% purity. WARNING: Do not, under any circumstances, try to leave Cuba with even a trace of this shit on you.
4) A wild deep sea fishing expedition where you fish with hand grenades and belt fed
machine guns?

All this and more is available on what the Ministry of Tourism has dubbed their "Silver
Bullet Package." The package consists basically of prepaid hotel accommodation and prepaid meals. The hotel was clean, comfortable, but a little run down. Even the best hotels in old Havana seem a little seedy by American standards, but the staff go out of their way to make sure that the package members are pampered. The meals were a very pleasant surprise-unlimited quantities of fresh seafood, fruits, and fresh bread - but be warned that lunch and dinner are strictly BYOB. The hotel provides setups and mixers of course. This could have been a problem except that black marketers hawking good rum are numerous in the neighborhoods around the hotels. A small tip to a bell hop will put you face to face with a fellow selling hootch out of a suitcase. The bottles are unlabeled, but the dark rums I tasted put Myers Dark, Mount Gay, and Bacardi Dark to shame for about $2 a bottle!

As you might guess the day to day routine involves lots of eating, drinking, snorting,
dozing, and loitering. Taxi rides to the foreign beaches are fairly easy to find but I found the beaches strangely boring - most of the USDA Grade A pussy centers around the hotels and doesn't really get strutting 'till early evening. The ritual is as follows: Interested gents should sit out on their balconies an hour or so before sunset and look for young girls sauntering down the boulevard. The "working girls" are hoping to make eye contact. If you see a senorita you particularly like, wait 'till you catch her eye and give the universal "come on up" hand signal. The more seasoned pros will find your hotel room from your balcony's location. Sometimes it pays to run down to the lobby to meet her but it's usually not necessary. My favorite was a young slender brunette who called herself Maria. She claimed to be 14 (but was more likely 16 or 17), was light-skinned and a dead ringer for Paula Abdul. I nearly ejaculated when I heard her prices - $100 U.S. for the night, any sex I wanted, or if I was in a hurry $20 for a blowjob. I've never been comfortable with long term relationships, so I was leaning towards the latter option. I asked her if she was an expert at oral sex. She must have read my mind -she swore she gave the best blowjob in all Havana, then smiled, and put her arms around my neck and added: "If I like your cock you can cum all over my face." God, that settled it. I slipped her a $20 bill and she put a pillow on the floor to kneel on. This wasn't one of those midtown Manhattan "hurry up and come so I can cook up another shot" blowjobs, no siree. This was more like "Honey, I really really love my new mink coat. " Full eye contact, lots of licking and teasing. She must have liked my cock, because when I was ready to shoot she
lifted her head back, positioned the head of my cock just over her chin and jerked me off - my favorite way to cum. She got up smiling and asked "You like?". When I caught my breath, I sighed "Bueno, muy bueno".

When she had tidied up and left, I laid out 4 fat lines, snorted up, and called room service for more diet coke, ice, and limes. I fell asleep sucking up rum & cokes, reading "Boy Clinton" by R. Emmet Tyrell, and day dreaming about Maria. What a country, this Cuba!

About the cocaine: Shortly after they check in each package member will be invited by the hotel manager to stop by his office for a drink. There he'll introduce you to a bureaucrat in the Cuban government who will offer you top quality cocaine at a fantastic price (see earlier reference). Don't panic. The Cuban government is getting this shit straight from one of the Colombian cartels and using it to generate cash - one potential group of customers being foreign tourists. If you decide to buy, you'll sign a form declaring that you will not sell, trade, or give any of it to a Cuban national and that you will not attempt to leave the country with any in your possession. Unless you like having cattle prods shoved up your shit chute in a vomit splattered cell in the basement of a Cuban jail, I'd strenuously adhere to these two provisions. Rememberthis isn't America where you can whine for a lawyer and be out on bail in a few hours. DON'T
FUCK WITH THE CUBAN POLICE OR MILITARY.

Next morning it was up and at'em early for the craziest deep sea fishing trip I'd ever been on. After a nice breakfast of dramamine, diet coke, cocaine and bananas I trundled on down to the hotel entrance where a taxi was waiting to take me and two other guys to the marina. Imagine our surprise when we pull into what looked like some sort of Cuban Coast Guard Station. We'd booked the trip at the hotel and had assumed we'd be going out on a typical deep sea fishing boat. It turned out the boat we'd be on was a small cutter complete with twin light artillery guns toward the bow and 3 belt fed machine guns, 2 on either side of the bridge, and one mounted at
the stern. Also, my guess was correct, we were in fact at the Cuban equivalent of a Coast Guard station and the boat would be manned by its usual military crew. I was beginning to lose interest in the outing when the two other tourists and I were introduced to the three "mates" for the trip - perfectly tanned foxes sensibly dressed in deck shoes and thong bikinis. My curiosity aroused, we boarded ship and were soon underway. I settled into a comfortable snooze in one of the three captain's chairs at the stern until we were well offshore.

I was woken up by the unmistakable feel of a large warm breast pressed into my cheek and nose. I opened my eyes to a bird's eye view of a fine pair of hooters. Readjusting my focus, I realized I was being offered a drink by one of our mates. She said we'd fish soon and trotted off to fetch more drinks. It was then that I noticed the complete absence of deep sea fishing rods, outriggers, etc.. The boat droned on for a while longer, then my mate came back with a fresh drink and a fish net. Two sailors carried a wood crate over to where we sat and put it on the deck. From the bridge I heard some shouting and saw the captain pointing to the sea near us. My mate told me we'd found a school of dolphin (the fish, not the mammal). She slid open the top of the wood crate and handed me a pineapple grenade. Sensing my confusion, she smiled and said, "You fish, I net."

What the fuck, I pulled the pin and tossed it overboard. A few seconds later, a low thud, a spray of water, and a bunch of floating dolphin! My mate started scooping them up and throwing them into the ice chest. The two other tourists and mates had been doing same, and it appeared that our 3 grenades had decimated the school, so we motored along in search of more. We spent a pleasant morning fishing in this manner. Around noon, a sailor lugged out a few metal boxes of belted ammo and loaded the stern machine gun. He turned to me when done, smiled and said, "Now, big game". I couldn't imagine what the hell we'd be shooting at,unless it was shark. My mate brought another ice cold drink, cozied up to me and clued me in: "We're shooting what you call illegal aliens; they're scum on rafts and homemade boats that are
deserting Fidel's paradise." Hmm- I'd have to play this one by ear. We had shifted course a little while ago and in about an hour came within sight of a group on a raft trying to make it to the Florida Keys. The captain came down from the bridge, introduced himself, and took up position at the stern machine gun. As we drew along side, and just passed the raft, I saw his thumbs press the spade trigger. There was a deafening roar. Everyone on the raft was wasted. He turned to me, smiling apologetically, saying, "It may seem cruel, but these people, if they make it to your country, are just going to wind up on welfare or in jail. We're doing both of our governments a favor." He paused a few seconds as if for emphasis and added, "Here, it's your turn next."

I thought about what he said, what an overcrowded cesspool the U.S. was becoming, and I realized he was right. The last thing our country needed was more penniless, illiterate niggers. I hopped up in the captain's chair behind the stern gun. By God, here was my chance to do something positive about the situation when all of our fucking politicians were busy transforming the whole goddamn country into Newark, N.J. My mate whispered in my ear, "If each guest gets one boat, the three mates give everyone on board a blow job." That's all I needed to hear. I'd done 4 fat lines in the head below deck just a while ago and I was primed. After about 30 minutes of search time we spied another raft. The captain pulled along side about 50 yds. away and then turned to give me a full field of fire. I lined up my sights on the middle bunch of wretches on deck then pressed the spade thumb trigger. Some of them were
blown overboard, some cut in two by the burst. I lingered on the trigger just a tad longer than professional, but God it felt good. A cheer went up from our crew, and I moved out from behind the gun for the next tourist's turn. We scored our next two refugee crafts in about 1 1/2 hours, and I and the other two tourists were treated to first class blow jobs below deck. Afterwards we retired to the stern to sip drinks and watch the mates service the crew. It was a beautiful finish to a beautiful day - the late afternoon sun, the rum and cokes, and all the cock sucking. The only thing in life that comes close to watching your cock slide in and out of a beautiful girl's mouth, is watching someone else's cock do the same. On the taxi ride back to the hotel, I thought that with all the vomit inspired tourist spots in the U.S, like Disney world, our sterile National Park system (No Hunting, No Fishing, No Camping, this is your National Park, enjoy it!), the usual obsolete and meaningless monuments (Statue of Liberty), why the fuck hasn't someone come up with a Silver Bullet Package for the
good old U.S.A? Why the fuck do healthy normal males with normal interests have to travel to Cuba for something like this?

Re:speaking of penetration... (1)

lgramling (1064562) | more than 5 years ago | (#24505113)

And what does this have to do with viruses?????

Re:speaking of penetration... (2, Funny)

Anonymous Coward | more than 5 years ago | (#24505303)

Use your imagination.

Re:speaking of penetration... (0)

Anonymous Coward | more than 5 years ago | (#24505463)

Hint: it's got to do the penetration part.

Re:speaking of penetration... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24505599)

Offtopic but interesting. Kind of an Ernest Hemingway meets Hunter S. Thompson thing going on.

Re:speaking of penetration... (5, Funny)

azuredrake (1069906) | more than 5 years ago | (#24505635)

Thomas Fynan floods a bulletin board with huge messages from fake users.

Ah-hah! Got ya!

Penetrate even the best antivirus software? (5, Interesting)

ohcrapitssteve (1185821) | more than 5 years ago | (#24504989)

Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.

Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?

Re:Penetrate even the best antivirus software? (5, Insightful)

SoapBox17 (1020345) | more than 5 years ago | (#24505093)

In case that wasn't a rhetorical question, the answer is:
Because it is a computer class (probably part of a CompSci degree), not sociology/psychology. While targeting the user is a perfectly good way to go about breaking in to something, that topic area isn't very practical for computer science. I think the point of TFA is that the class teaches a lot more than "this is how to kill McAfee, now go run amok!" It is a good opportunity to think outside the box, and targeting the user is very much inside the box, and very low tech.

I'd be kind of pissed if I took a computer security class and it was all about social engineering.

Social Engineering VS Computer Sci (4, Insightful)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24505121)

I agree with soapbox, with

I'd be kind of pissed if I took a computer security class and it was all about social engineering.

but if it was a course on penetration and end user abuse, then it would be completely relevant.

I think teaching the tools of the black arts are useful - you never know when you need to hack into a satellite system and broadcast the evil that it does around the world.

Re:Social Engineering VS Computer Sci (5, Funny)

MindlessAutomata (1282944) | more than 5 years ago | (#24505157)

I'd like to take a course on penetration. I might actually learn something.

Re:Social Engineering VS Computer Sci (5, Funny)

TubeSteak (669689) | more than 5 years ago | (#24505633)

I'd like to take a course on penetration. I might actually learn something.

Unlike college courses, those 'teachers' charge by the hour.

Though if you are in college, you could take it as an... extracurricular.

Re:Social Engineering VS Computer Sci (2, Funny)

maxume (22995) | more than 5 years ago | (#24505663)

Or just do some petty crime so you get to spend some quality time in county -- the course is free, and apparently not an elective.

Zing!

Re:Penetrate even the best antivirus software? (-1, Troll)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24505185)

why are you so worried? it is a state school, it isn't like they learn anything there anyways...

Re:Penetrate even the best antivirus software? (1)

ohcrapitssteve (1185821) | more than 5 years ago | (#24505247)

It was a rhetorical question. I understand the scope of the class, and in the scope of the class, the specific technical subject matter makes sense. I more meant in general terms, as a critique on the "malware industry." I should have been more specific.

They need BOTH! (4, Insightful)

khasim (1285) | more than 5 years ago | (#24505399)

If you are learning SECURITY then the first lesson is that the PEOPLE are the weakest link.

You need to design systems that minimize the human error portion. That means designing systems where it is possible to tell the "good" code from the "bad" code. Where the average user can run an app to identify the "good" code from the "bad" code.

Where the warnings are sufficiently rare that the average user is NOT trained to just click "accept" when one pops up.

Re:Penetrate even the best antivirus software? (2, Insightful)

v(*_*)vvvv (233078) | more than 5 years ago | (#24505479)

targeting the user is very much inside the box, and very low tech.

Well, yes and no. This is a computer class, so sure, let's just study what you can do at the keyboard, but if you are talking security, then the user is the weakest link. The hackers that have done the most damage and made the most money have all used social engineering at one point or another. And why does it work? It works precisely because it is outside the box - the computer box. Programmers and security experts can do all they can inside the box, but their systems are not secure if an idiot holds the key or gives out passwords over the phone.

So the most secure systems are not user dependent, but to understand how to avoid depending on the user and how to avoid creating secrets to guard, you will need insight into the social engineer-ability of a system.

Re:Penetrate even the best antivirus software? (3, Insightful)

mixmatch (957776) | more than 5 years ago | (#24505643)

I'd be kind of pissed if I took a computer security class and it was all about social engineering.

Unfortunately for all of us, a technical attack is usually fixable by the next version of security software or the OS, while a psychological attack will continue working effectively as long as computers are operated by people. If the objective is to benefit from an exploit, as opposed to obliterating a system, it is nearly always more profitable to deceive the victim into believing that they are still in control of their system as well. I believe that a good attack would incorporate a high level of technical expertise, coupled with a social engineering deception. There is after all a saying,

There is no patch for human stupidity.

I think anyone taking a computer science class that wants to disregard the human element of computing is not likely to be the most successful in the IT field.

Probably restating the obvious... (1)

kmkznobeikoku (1319847) | more than 5 years ago | (#24505439)

..but, there is a fairly Darwinian process involved here. While it may be easier, NOW, to go after user behavior, one shouldn't assume that ALL users are going to STAY stupid indefinitely. True, there will be a subset of those who will compensate for a lack of common sense by purchasing software to enable security for them, but as skillful compromising becomes more the norm, the costs of maintaining that "apparent" security will increase. What will likely remain are those of increased skill in regards to security, and those with increasingly deep pockets to pay for the efforts of the skilled. Barring legislation to the contrary, the non-skilled, underfunded folks that dabble occasionally online may very well find themselves denied stable access eventually, or could "opt-out" altogether. My 2p, FWIW.

Re:Penetrate even the best antivirus software? (1)

treeves (963993) | more than 5 years ago | (#24505475)

I can get the Taco Bell dog to read my email?? Does that work with Lotus Notes?
I've been missing out!

Windowless? (0)

Anonymous Coward | more than 5 years ago | (#24504991)

I think not!

Oh Joy more spam (4, Funny)

WiiVault (1039946) | more than 5 years ago | (#24504993)

Sweet, another person spamming my boards! And no education isn't an excuse.

Re:Oh Joy more spam (1)

sr8outtalotech (1167835) | more than 5 years ago | (#24505145)

from the article:

Ledin insists that his students mean no harm, and can't cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can't escape.

Not Hackers? (4, Insightful)

mordors9 (665662) | more than 5 years ago | (#24505003)

Not sure why the author phrased it that way. It should have read they are not criminals. They very well may be hackers. There is a difference.

Re:Not Hackers? (5, Informative)

fm6 (162816) | more than 5 years ago | (#24505097)

In ordinary English, a hacker is somebody who hacks into a computer system. That's not the way you and I use the word, but we're not most people. "Hacker" is one many words that means different things depending on who uses it and in one context. Language is not a map.

Hackers (in the senses of "improvisational programmer" or "ethical student of security technology") often don't grasp this, and insist that the common usage of "hacker" is "incorrect" — even though the people who use it that way are in the majority. They've tried to get people to say "cracker" instead, ignoring the very small role Nabisco plays in computer security issues.

Re:Not Hackers? (0, Troll)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24505129)

In ordinary English, a hacker is somebody who hacks into a computer system. That's not the way you and I use the word, but we're not most people.

... so, when living in the ordinary world, dealing with ordinary people ... or, say, writing an article for newsweek, you're probably better off communicating in a language that ordinary people understand.

Thanks for preaching to the choir though, maybe someone will find your comment insightful.

Re:Not Hackers? (3, Informative)

jeiler (1106393) | more than 5 years ago | (#24505279)

Hackers (in the senses of "improvisational programmer" or "ethical student of security technology") often don't grasp this.

Actually, most (if not all) of them do, and take a perverse, quixotic joy in fighting against the majority usage. It's probably an issue of pride ("I'm a HACKER, not some scummy script-kiddie!"). I view it as about as "useful" as OS-flamewars, or endless arguments over editors.

And while we're talking about editors, don't get me started about emacs. ;)

Re:Not Hackers? (2, Insightful)

maackey (1323081) | more than 5 years ago | (#24505329)

Butterflies [xkcd.com] are the only way to go

Re:Not Hackers? (1)

jeiler (1106393) | more than 5 years ago | (#24505415)

"Dammit emacs!" :D

Re:Not Hackers? (1)

bluefoxlucid (723572) | more than 5 years ago | (#24505357)

eMacs suck as bad as iMacs

Re:Not Hackers? (0)

Anonymous Coward | more than 5 years ago | (#24505561)

(replying to kill accidental positive mod to parent troll. I hate it when using keyboard navigation keys later down a page alters a popup I set previously...)

Re:Not Hackers? (1)

giorgist (1208992) | more than 5 years ago | (#24505549)

Maybe we should start calling them "tinkerer".
You can't ask language to do as you say

G

Re:Not Hackers? (1)

maxume (22995) | more than 5 years ago | (#24505687)

Actually, you can ask all you want.

Re:Not Hackers? (1)

arth1 (260657) | more than 5 years ago | (#24505577)

No, they may not very well be hackers. A hacker is per definition self-taught. He hacks. If you get your knowledge from someone else, it's not hacking.

Good (5, Insightful)

Safiire Arrowny (596720) | more than 5 years ago | (#24505005)

Sounds like these students might actually learn something about computer security from this class.

Re:Good (1)

Darkness404 (1287218) | more than 5 years ago | (#24505425)

Exactly, in the end of most it comes to A) I know the difference between a virus, a worm and a trojan. B) I can scan with a certain anti-virus to remove the virus and C) I can use the Windows firewall!

All those things should make me secure? Right?

Re:Good (3, Insightful)

Jaime2 (824950) | more than 5 years ago | (#24505613)

So, police training should involve mugging practice and fire-fighter training should involve learning how to set fires. Now, I'm aware of the fact that in order to practice fighting fires, there has to be an actual fire to fight and someone has to set it. But, somehow I just don't see a five week training session at the fire department on the various ways to set different fires and how not to get caught.

Learning how to write viruses is largely a waste of time in an information security course. Yesterday's techniques will be antiquated tomorrow, why learn them next week? I know of information security programs in the wild right now that have the students run the old "ping of death" attack that only works on unpatched 1998 vintage systems. I've always felt that in a security course, the students should study past successful attacks and try to learn what techniques could have foiled the attack that wouldn't have required any knowledge unavailable to the attackee before the attack. Concentrating on the specifics of the attack instead of the specifics of the defense is not productive.

Students Learn to Write Viruses (0)

Anonymous Coward | more than 5 years ago | (#24505009)

So that's why so many viruses disguise themselves as needed codecs for watching porn videos!

Sounds pretty cool (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24505019)

I wish my computer security class in college had been like this. Most of the stuff we did had no creativity involved, nor complexity. We did some password cracking (using john the ripper), sniffing on a network, and a SQL injection. Kind of lame compared to the stuff in TFA.

Re:Sounds pretty cool (5, Funny)

Pictish Prince (988570) | more than 5 years ago | (#24505241)

Well, they said it was a windowless class, so I guess it's higher than entry level.

Re:Sounds pretty cool (1)

Krusso88 (1252390) | more than 5 years ago | (#24505733)

Are you sure they don't mean Windows-less??

No great accomplishment (4, Funny)

John Hasler (414242) | more than 5 years ago | (#24505031)

> Their professor, George Ledin, has showed them how to penetrate even the best antivirus
> software.

That and $.10 will get you a year's supply of fake Viagra.

Teach me! (0, Offtopic)

B4light (1144317) | more than 5 years ago | (#24505039)

I want to learn this stuff

So what? (5, Insightful)

x_MeRLiN_x (935994) | more than 5 years ago | (#24505041)

I was under the impression that all security courses worth their salt taught skills that could potentially be used maliciously. How does one learn how to be a penetration tester? What makes this case different?

Polymorphism is at least an option in most Computer Science courses. Does one really need to sit down and be taught "how to write viruses" specifically? Or can a huge amount of people who write code use their initiative and learn how to write any kind of application?

Managers at some computer-security companies have even vowed not to hire Ledin's students.

What companies? Would they want to work there anyway?

Re:So what? (2, Interesting)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24505153)

What companies? Would they want to work there anyway?

Spot on! I mean, why work for a security company, when you can work for a government? Isn't that what this guy is going to do [bbc.co.uk] in new zealand?

and ... failing a government contract, why not just 'make' your own money using your newly found l33t haxx0r skillz from school?

Re:So what? (1)

beaverbrother (586749) | more than 5 years ago | (#24505183)

The security companies don't like this because part of the class teaches how to get around Firewall software. While most security classes teach concepts and how to hack software designed as an example, this is demonstrating exploits on production software out in the wild.

Re:So what? (1)

ksd1337 (1029386) | more than 5 years ago | (#24505239)

These companies are getting free bugtesting and security scanning. They should make something where the class gets paid to demonstrate these vulnerabilities on their software, and then they use the information to write patches and updates.

Re:So what? (3, Insightful)

x_MeRLiN_x (935994) | more than 5 years ago | (#24505287)

So..? The ability to "hack software" is the ability to find exploits. An exploit that only you know is far more dangerous than one that circulates widely enough to reach the attention of a college lecturer.

There are public lists of unpacthced exploits [milw0rm.com] . It's easy to become part of an underground community that pools their exploits.

My point being, this knowledge is incredibly easy to obtain by anyone. I'm inclined to believe that college students receiving tuition from an ethical hacker who presumably intend to gain legal employment are less of a risk to society than people who decide to Google for the latest exploits so they can exact revenge on an employer (for example) or those with truly nefarious intentions and are talented enough not to need outside tuition.

Re:So what? (2, Insightful)

quadelirus (694946) | more than 5 years ago | (#24505359)

I don't think one needs to be taught how to write viruses.

Case in point for the sake of argument:

A buffer overrun is a common vector for malicious code. Knowing what types of code causes a buffer overrun is required to protect against them. Practicing writing assembly code to insert into the buffer to actually exploit something is not. Teaching exploitation is not necessarily the same as teaching protection.

Re:So what? (0)

Anonymous Coward | more than 5 years ago | (#24505661)

How does one learn how to be a penetration tester?

Seriously? No one on this oblig... I'm late to the story, but sheez. Get a partner and practice.

Old News (4, Interesting)

dcollins (135727) | more than 5 years ago | (#24505051)

Virus writing was part of my assembly & architecture class circa 1990.

Cynicism (1)

Adreno (1320303) | more than 5 years ago | (#24505061)

At least when one of these students eventually loses self-restraint, they will be more well-educated than some 13-year-old that randomly Googled for "hacker tools", downloaded and ran the first file they found!

Hostile Authorities (1)

tobiah (308208) | more than 5 years ago | (#24505065)

What's interesting to me is the response in the article from the various authorities: the anti-virus companies want him to stop and some have sworn not to hire his students, and the government's apathy about what he's doing.

Re:Hostile Authorities (0)

Anonymous Coward | more than 5 years ago | (#24505125)

Gee, an industry propping up a failed business model based on fud? In my internets?

Re:Hostile Authorities (5, Interesting)

Darkness404 (1287218) | more than 5 years ago | (#24505333)

Yes, but why are they even caring? I mean, today I picked up a copy of 2600 from a local bookstore, in there I learned how to Arp poisoning, obtain malware via a honeypot, and all kinds of info that is similar to this. Yet I don't see the FBI raiding 2600's publisher burning all copies of the magazine.

You can get cracking techniques from loads of places, this guy's teachings is old news.

"We've Changed this Game" (4, Insightful)

KnowledgeEngine (1225122) | more than 5 years ago | (#24505067)

In response to AV vendors reply "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place,"
Normally if something is going to succeed, it evolves to overcome natural or manmade barriers to its existence.
In a way, the fact that the malware and viruses evolve within days of AV updates says that the AV companies are nothing but an annoyance to the writers of the malware.

Re:"We've Changed this Game" (5, Interesting)

Anonymous Coward | more than 5 years ago | (#24505253)

I used to write viruses. Evading anti-virus software was sort of like the testing//tweaking phase of software development -- "oops, mcafee flagged it as suspicious, let me modify this line of code here, this one here... ahah, fixed".

The truth is, anti-virus technology hasn't significantly changed since the DOS days. It's all about heuristics, pattern-matching, and behavior-preventing. It's trivial to evade these technologies.

How long before Ledin is visited by DHS? (1, Insightful)

spiritgreywolf (683532) | more than 5 years ago | (#24505087)

Seriously - no troll. How soon before even teaching this kind of skill, even in the name of security, will require special licensing, background checks, and any other array of "Security Theater" tactics brought forth by the Department of Homeland Security?

Hell, we can't _legally_ export anything with strong encryption but we allow multi-cultural students to learn cyber-terrorism tactics?

$20 says the instructor Mr. Ledin is either carted away to Guantanamo Bay, contract killed by McAfee or Symantec or hired by some euro country with too many consonants in their name...

Re:How long before Ledin is visited by DHS? (1)

jmv (93421) | more than 5 years ago | (#24505163)

How soon before even teaching this kind of skill, even in the name of security, will require special licensing, background checks, and any other array of "Security Theater" tactics brought forth by the Department of Homeland Security?

Actually, the background check should be for students, not teachers. ...contract killed by McAfee or Symantec

Just the opposite. He will likely both the future McAfee/Symantec employees and the new virus writers that will keep them in business.

Re:How long before Ledin is visited by DHS? (2, Insightful)

shadwstalkr (111149) | more than 5 years ago | (#24505207)

$20 says the instructor Mr. Ledin is either carted away to Guantanamo Bay, contract killed by McAfee or Symantec or hired by some euro country with too many consonants in their name...

Seriously? Virus writing is extremely well documented all over the internet, and has been for a long time. Anybody with some initiative can learn this stuff, and really it's probably the best way to learn assembly, executable formats, and a whole slew of cool little tricks you can do with a computer. Virii do a lot more than delete files. There is a lot to learn by building rockets, and we shouldn't stop just because some people like to put explosives on theirs.

That said, I wouldn't be surprised if Mr. Ledin is reprimanded by the university administration for getting bad press.

Re:How long before Ledin is visited by DHS? (0)

Anonymous Coward | more than 5 years ago | (#24505691)

*cough*...viruses...*cough*

Re:How long before Ledin is visited by DHS? (1)

josmum (828708) | more than 5 years ago | (#24505221)

More importantly, how long before I can poop in your ear and eat it out with a spoon?

Re:How long before Ledin is visited by DHS? (3, Insightful)

failedlogic (627314) | more than 5 years ago | (#24505257)

Maybe he is working for the DHS, you insensitive clod!

Interesting point nonetheless. There is a difference between classroom and reality. In a psychology, medicine, chemistry, biology, criminology ... whatever class at any level you are taught some pretty dangerous stuff. 99.99999% of students are sane, normal human beings that wont use the info. Its that small %age of students who will do something that are the concern. I don't think taking the class in-and-of itself is the catalyst to being a cyberterrorist. I would at least question the intentions of students that *already* know a few too many things in the class or get an A+ effortlessly for the course.

Re:How long before Ledin is visited by DHS? (1)

Darkness404 (1287218) | more than 5 years ago | (#24505371)

Look, I honestly don't get what the big deal with this is. Today I walked into a bookstore and got a copy of 2600 and Hakin9 both told me how to make malware. Now, granted, it didn't go into much depth, but I can search on Google for the rest of it.

I don't understand how anyone would hire a penetration tester that hasn't written a virus and doesn't understand how they work.

Re:How long before Ledin is visited by DHS? (1)

bluefoxlucid (723572) | more than 5 years ago | (#24505413)

I would at least question the intentions of students that *already* know a few too many things in the class or get an A+ effortlessly for the course.

You mean like me?

You seem to be under the impression that programming in assembly and modifying compiled load modules are difficult tasks. These files have a big table that describes their structure, code, special considerations i.e. stuff that has to be adjusted if code moves, etc. If you understand the data structure, messing with it is trivial.

Re:How long before Ledin is visited by DHS? (1)

ZDRuX (1010435) | more than 5 years ago | (#24505391)

Mark up OP please, it is a real issue.

Sure you're going to say, hey - virus tools and information is on the net everywhere. But for how long? This was the case with Terrorist textbooks, and look where that's getting people, landed in jail! Same goes for P2P programs, sure they're for "educational" purposes and can be used legitimately, but sooner or later some politician of the government will find a way to usurp the good will of these people and brand them as "soon-to-be-identity-thieves" in some mock "save the children" scenario.

....anything is possible with this post-9/11 governments we have.

OH MY GOD (-1)

Anonymous Coward | more than 5 years ago | (#24505099)

We're Doomed!!!

actually writing a computer virus that will track keystrokes is extremely easy to do. If anyone graduates from College with a degree in computer science and doesn't know how to do this already they should have there degrees taken away from them.

Re:OH MY GOD (1)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24505169)

don't you mean actually writing a computer virus that will record keystrokes is extremely easy to do. If anyone graduates from College with a degree in computer science and doesn't know how to do this already they should have their degrees taken away from them.

I agree, partly. But ... if anyone graduates from high school and doesn't know how to speak/write in english, we should revoke their diploma as well.

Re:OH MY GOD (1)

Darkness404 (1287218) | more than 5 years ago | (#24505307)

Hey, Slashdot is one of the few places online where people actually talk without a bunch of slang to seem "hip" just look at YouTube comments. Slashdot is much, much, better.

Re:OH MY GOD (1)

KGIII (973947) | more than 5 years ago | (#24505309)

Something about glass houses and stones... English is a proper noun with a capital.

Re:OH MY GOD (1)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24505761)

touche.

Sounds tough (1)

CrazyJim1 (809850) | more than 5 years ago | (#24505103)

Cracking the best antivirus software is tough when you consider you have to write a completely new virus to do it. Oh wait that's easy.

Re:Sounds tough (1)

Darkness404 (1287218) | more than 5 years ago | (#24505283)

No. For most you only need to write a line of new code. For example, if the Anti-Virus flags any files being added called Spamb0t.exe, you can rename it Spammer.exe and it would work.

Re:Sounds tough (0)

Anonymous Coward | more than 5 years ago | (#24505431)

If your anti virus software uses nothing more than a file name to tag an executable as malicious you might want to think about acquiring some better AV software. If you want to know how AV really works (and how to defeat one that doesn't use methods like heuristics) take a look at http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4 [shmoocon.org]

Re:Sounds tough (0)

Anonymous Coward | more than 5 years ago | (#24505473)

Wooosh!

Weak sauce. (1)

iztehsux (1339985) | more than 5 years ago | (#24505261)

Formally learning how to engineer such products seems counter productive. Taking apart trojans/viruses seems useful, but this is just asking for trouble. You're taking script kiddies, giving them slightly more knowledge and a bit of confidence. It is fairly apparent that no major security company would hire any of these clowns, why train them to cause trouble?

Re:Weak sauce. (5, Insightful)

bluefoxlucid (723572) | more than 5 years ago | (#24505465)

Because breaking into things and creating stealthy shit is the greatest problem solving skill you will ever find.

By nature, to break into a computer, you have to force it to do something it (software, sometimes hardware i.e. Intel errata) was specifically not designed to do. Usually this amounts to something not obvious to 100% of the rest of the world for some strange reason being obvious to you. The more experience you have warping completely tame and working interfaces in perverse ways due to minor quirks, the easier this becomes.

Load modules and shared objects aren't designed to be altered like that; and in this case you have a system designed specifically to catch and prevent you from doing what you're doing. This is, again, forcing something into a position it's not designed to operate in to achieve a predictable result.

Carmack's Reverse, Duff's Device, and even Edison's light bulb worked from these same principles; remember, by its very nature you cannot have light without fire.

Re:Weak sauce. (1)

iztehsux (1339985) | more than 5 years ago | (#24505497)

Point well taken, sir. I salute you.

That's strategy at its best... (0)

Anonymous Coward | more than 5 years ago | (#24505267)

This teacher is doing nothing wrong in my opinion. In fact, he is doing something that should have already been done by all other computer-security classes in the world. After all, how the heck would you stop something to happen if you don't even know how it happens?

Just like Sun Tzu once said "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."

The security companies are just affraid of 2 things... Losing credibility and also being a victim of some black hat student of this teacher.

Clamwin? (0)

Anonymous Coward | more than 5 years ago | (#24505317)

Shouldn't AV have a chance at Open Source as much as anything else?

But.... (0)

Anonymous Coward | more than 5 years ago | (#24505383)

...I codes on Linux, you insensitive clod!

linux (1)

slack_prad (942084) | more than 5 years ago | (#24505419)

Do they target only windows or does their 'education' involve writing viruses for other platforms as well?

Lag Enough? (1)

Mr Pleco (1160587) | more than 5 years ago | (#24505433)

The original media release by the SSU media relations department is dated in Spring of 2007. Why is this JUST NOW crawling to the top of the news heap?

Viruses in a WINDOWsless environment ? (5, Funny)

destinationPattern44 (1224474) | more than 5 years ago | (#24505483)

"In a windowless underground computer lab in California, young men are busy cooking up viruses" it's IMPOSSIBLE! Viruses need Windows and they won't run in a Windowsless environment.

Is there, or should there be a line to education? (2, Interesting)

grilled-cheese (889107) | more than 5 years ago | (#24505485)

I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users.

So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?

Re:Is there, or should there be a line to educatio (3, Insightful)

Mr Pleco (1160587) | more than 5 years ago | (#24505529)

I agree that learning these skills is important if computer security if what you plan to do legitimately for a living. As much as I would have loved to take a class like that in college, I don't believe ethically I could have participated. By having students practice these skills in the real world they are just adding to the already enormous problem. I believe a well built simulation environment could serve the purpose just as well without causing problems for other users. So is there a line these students have crossed by practising their skills in the wild? Should a policeman learn to solve crime by committing it for example?

Think of it as a locksmith learning how to open locked cars or houses, not so much policemen causing crimes to learn to solve them, as by definition as long as you aren't breaking the law, you're not a criminal.

Missing tag (1)

J.R. Random (801334) | more than 5 years ago | (#24505487)

Where's the inevitable WhatCouldPossiblyGoWrong?

virus writing 101 (1)

troutsoup (648171) | more than 5 years ago | (#24505553)

i had an assignment in a systems class in college to write a virus. half the class was outraged at such a thing the other half thought it was the most awesome idea evar. prof reasoning behind it is if you knew how to exploit a system at such low levels you knew systems programming very well.

my virus was a masterpiece com infector that infected up to 3 .com files and announced each as it was doing it. wheeeee fun!

so what? (0)

Anonymous Coward | more than 5 years ago | (#24505583)

i don't see why this is news. We have people make new dangerous stuff all the time... new microwave weapons to fry crowds, bigger, badder guns to blow up people "better" than we already do, etc. We even have people that work with deadly organisms and it's worked out well... ok...not a good example...

but anyway, we try to beat the system in all fields, none react quite so quickly to being broken as software, so it's slightly more dangerous. But it's not like somebody wouldn't have figured out how to get around systems anyway... it's better that the "good guys" figure out first.

711CE2644B55BB071F36457E9783E0EE3A4D9EA0 (0)

Anonymous Coward | more than 5 years ago | (#24505595)

711CE2644B55BB071F36457E9783E0EE3A4D9EA0
#include
int main(void){return printf("hello, world\n");}

Cyber-Terrorism (2, Funny)

prakslash (681585) | more than 5 years ago | (#24505627)

This guy is teaching cyber-terrorism !!

The SAS could take out any one of these training camps.
Kill everybody there, and be gone before the echo fades.

we have that in vienna for years... (5, Informative)

Meshugga (581651) | more than 5 years ago | (#24505749)

as a two-semester course.

It is held at the technical university in vienna and is called "InetSec"

http://www.iseclab.org/InetSec/ [iseclab.org]

The course has a very high quality and includes practical exercises like sql exploits, writing buffer overflows, trojans and the like.

You even get your own automatically generated "1337 handle" upon subscription to the course, and you can advance from "script kiddy" (not homework assignments aka challenges turned in) to "master guru" (turned in everything + extra work + participated in a CTF) - so actually participating in the course is more fun and play than work ;)

I wonder why that article is news, since there is a CTF (http://www.cs.ucsb.edu/~vigna/CTF/) held every year, where a lot of universities and colleges from everywhere participate - i doubt they don't have similar courses.

Then again, since the viennese guys kick ass at these contests... ;)

In other news... (1)

betterunixthanunix (980855) | more than 5 years ago | (#24505751)

...a 19 year old Finnish student has embarked on a project to learn more about his computer by writing a kernel.

No really though, I remember reading about this or something similar years ago.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>