George Ledin teaches students how to write viruses, and it makes computer-security software firms sick.
Comment: just what we need
Comment: I'm absolutely outraged by this article. These kids are learning invaluable security skills in a safe environment, and Newsweek is portraying them as criminals in training. This sort of learning is absolutely crucial to writing well secured applications.
Internet security is a real hot button issue in today's computer-centric world, and finding employees that can lock down and secure code is imperative for companies who deal with lots of personal information on the web. Almost inumerable websites have major security vulnerabilities that are just waiting to be hacked by some of the saviest crackers.
How do you fight this? It's relatively easy. If you know how to hack something, if you know where something is vulnerable, if you know where there are flaws in a program; you can use that knowledge to tighten up security on that site. It's not hard logic to follow. In fact, there's an IT job that revolves around this called penetration testing. People doing penetration tests need to know how to hack web sites so they can let major companies know where there are exploitable pages, or coding flaws. Maybe if Oklahoma had had some pen testers check their Sex Offender Registry Roster, they wouldn't have been susceptible to an almost trivial SQL-based attack. http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
Hackers and security professionals have the same set of tools at their disposal, and the same knowledge to back themselves up. The only thing that really sets them apart are their morals and ethics. I'm outraged at how this article is portraying the professor of this course as a criminal, and how they go on to portray his students as his only little private hacking group. I have never seen tech article loaded with so much ignorance before today. The lack of common sense, and the lack of computing knowledge alone is horrendous, even without mentioning how you guys failed to mention anything positive about this program in depth. Furthermore, I have a hard time believing any top security company would refuse to hire these students, and the fact that you don't name these companies doesn't make me believe it anymore.
Comment: I think this is absolutely brilliant. I took a computer security course (sadly online) and the amount of stuff I learned in the one semester, I would have drooled in class at the complexity and brain power needed to understand and successfully execute a security algorithm.
I am a freelance pc tech and a systems admin at a firm in manhattan, NY. These students are being armed with the tools they will need when they graduate, hopefully they are in their later years of college. I run across countless computers that have spyware problems, as this is a very profitable business.
Spyware companies spend millions for hackers and other devious code writers to circumvent all possible security holes, tricks, manipulation and the like in an effort to annoy the customer to no end and scare them sh!tle$$. And most computer users are NOT smart enough to know that even buying WinAntivirus will NOT get rid of the virus/spyware problems and popups. Sometimes I have to manually remove dll and dummy files that hide all over the place, to manually starting specific services and removing fake ones that transmit over your internet connection. Software solutions will almost never be enough as there are so many holes to fill, it makes sense to just keep patching them. Windows XP and Vista are so easy to get into, its almost rediculous to even broadcast a tutorial on TV as almost no one will get it, lol.
Just like a mechanic knows how to fix a specific problem with your car, these students will come out knowing how to effectively get rid of these threats and annoyances.
Leon B.
Comment: I think this is absolutely brilliant. I took a computer security course (sadly online) and the amount of stuff I learned in the one semester, I would have drooled in class at the complexity and brain power needed to understand and successfully execute a security algorithm.
I am a freelance pc tech and a systems admin at a firm in manhattan, NY. These students are being armed with the tools they will need when they graduate, hopefully they are in their later years of college. I run across countless computers that have spyware problems, as this is a very profitable business.
Spyware companies spend millions for hackers and other devious code writers to circumvent all possible security holes, tricks, manipulation and the like in an effort to annoy the customer to no end and scare them sh!tle$$. And most computer users are NOT smart enough to know that even buying WinAntivirus will NOT get rid of the virus/spyware problems and popups. Sometimes I have to manually remove dll and dummy files that hide all over the place, to manually starting specific services and removing fake ones that transmit over your internet connection. Software solutions will almost never be enough as there are so many holes to fill, it makes sense to just keep patching them. Windows XP and Vista are so easy to get into, its almost rediculous to even broadcast a tutorial on TV as almost no one will get it, lol.
Just like a mechanic knows how to fix a specific problem with your car, these students will come out knowing how to effectively get rid of these threats and annoyances.
Leon B.
Comment: Since these companies are so negative about these students, why dont they put the mouth where their code is and have an anti-virus competition with these students .... a virus neither competitor has dealt with that is within the scope of the students class and see who can come up with the best security solution.
Comment: I am a former student of Ledins in other classes, and must say that my colleagues that came out of that class really know there stuff about COMPUTER SECURITY. Everyone talks about how these students are writing viruses, but forget the whole point of the class, to make computers more secure. This subject is incredibly complex with encryption and decryption algorithms that are begging quantum computing to aid in their computation. So in a subject as complex as this, why not arm students with everything they need to stop these new threats. Clearly these companies are afraid of the direction that education is going.
Comment: So many people cheering him on.
Do any of you use locks on your house?
Would you be cheering a course at your local school on how to pick locks? Hey, you have to know how to picks locks to build better ones, right?
The Internet is worldwide. Any school is local for everyone around the world.
I think those who favor this school of thought are misinformed. What the schools need to teach computing "proofs". I notice that few CS students today know anything about coding proofs. A perfectly written program would have no *code* vulnerabilities (people can still be suckered to just open the locked door and let people in, called social engineering). But perfect programming is sometimes considered unwieldy. But at least, when programmers make their stuff "more efficient," they should know what they're cutting and the risk exposure that they're introducing. For too long, programmers didn't know or pay attention to making sure they wrote their programs well.
I learned how to pick locks in school. Hope he's also teaching ethics of programming at the same time so the students aren't tempted to turn their new found knowledge into easy cash.
Comment: McAfee and Symantec truly manufacture useless products. They are the MS of security software. I remember using a free online scanner which found 1 rootkit and a virus-variant and what did my all-paid-for and uptodate Norton detect? Nothing, I was using an infected pc all that time!
Comment: I've been trying to build support for Ledin's crusade via my columns in ACM QUEUE Magazine. There's a depressing apathy in the IT community but once you've suffered a malware invasion (as opposed to reading of other folks' troubles) it's amazing how quickly you 'see the light.' BUT, here's a MAJOR CAVEAT: we are still far from the point where the INTENTIONS of a piece of code can be automatically discerned by scanning its bytes. We still rely heavily on looking for PATTERNS based on KNOWN Malware attacks. New malware strategies creep by until the harm is detected, analyzed and added to the KNOWN virus database. As other commenters have noted, it's an endless fight between invaders and defenders. We need the CLEVER sods like Ledin and his Lads on our side. YET, let's not expect that Man's Innate Propensity for EVIL will go away any time soon.
Stan Kelly-Bootle
Comment: I agree, we need to hire the best hackers around, pay them extremely well, and use them to take out the other hackers who might actually do some harm. I like to think that the C.I.A. has already thought of this, and is already implementing it. It's much like the "Catch Me If You Can" type of phenomena. Also, i'm constantly hearing about Chinese hackers hacking into U.S. government websites...scary stuff, and it shouldn't be happening. Time to kick some hacker @$$ America, the Chinese are snooping around our government websites literally all the time. It's only a matter of time before an adversary of the U.S. attempt s to attack us using cyber-warfare, we need to be ready, and we need to be outsmarting these dingleberries!
Comment: hackers are the lowest form of predators there is, much like a pedophile, who seeks out to find his next vulnerable child. they are *** worthless.
Comment: More power to him.
The best defense against black-hat hackers is black-hats fighting for the good guys (grey-hats). It's a constant race to see who is better. Being able to easily identify vulnerabilities is the first step in preventing (that's right, preventing, not just "fixing") them.
Naturally, the commercial anti-virus company would be peeved. They see it as a potential threat. Instead, they should be seeing these students as pools for potential employment. The federal government is foolish to trust the nation's security to faceless coders behind locked doors. There's no real guarantee of quality when the company hired is also holding the metrics for "success."
Hackers of the world unite!
Comment: It's great to see this instructor taking positive action to educate students. There are many analogies - like trying to build cars without engineers studying crash tests. Malware only exists because of flaws in programs. If students are taught these issues it will greatly help future products to be less susceptible to attack.
Comment: Too many vulnerabilities get exploited, & I'm tired of living in fear. I've known, & fairly tech-savvy people are aware that companies like Symantec/Norton offer (incomplete) protection, it's a joke to pay so much money for it. These programs are so painful, it's hardly different than computer viruses. Root for the underdog, who is taking the time to understand, create, & maybe revolutionize anti-virus/malware protection.
Comment: I see no cause for concern. This man is teaching something that should be required for all computer science students. You don't have to go to college to learn how to exploit and make malware you can learn it on the internet. Ledin hopes to reverse the trend my startting what will probably turn in to a generation of ethical hacking and anti malware defense. You have to know what the problem is and how it go there to stop it. It doesn't matter how much you spent on you anti virus program. I have seen some spend thousands of dollars and I have seen some spend nothing and still end up with the same exact virus. The cure is education. How not to get that virus, and when and if you do get it, how to stop it.
Comment: It is true that the only way you can fight a computer virus is to understand how it is constructed. So what is being done to teach students how to write it will help over all because they will understand it.
Comment: WHAT HE IS DOING MAY BE LOOKED DOWN UPON BUT SO IS STEM CELL RESEARCH. tHERE IS A LOT OF GOOD THAT CAN COME OUT OF TEACHING PEOPLE TO WRITE VIRUSES.
Comment: This is excellent. The computer industry needs staff who understand the internals of the platforms and how to express the vulnerabilities. Regardless of what these students learn and do, the vulnerabilities exist and will be exploited by evil-doers for profit or worse.
Comment: If you ask me, McAfee should hire him to teach them how to make their anti-virus software better. Sounds like they are jealous. ;-)
Comment: I think Ledin should be arrested and jailed! I've been hit twice in 6 mo. with ID theft.
Comment: Most ID theft is because the original user didn't take care of his PC. This guy should probably be looking in the mirror to place the blame.
Comment: A little note about ID theft: You dont have to use a computer to have your ID stolen, you dont even have to be on the grid to have your ID stolen. Lesson learned, if you have a car they have you, if you have a social security card they have you, if you a bank account and you bought your wife's anniversary gift on the internet the have you. 60% of ID theft is commited outside the U.S.
Comment: So you think Ledin or one of his students was behind this.
Comment: Good for him. Computer code good and bad is not the equivelant of the Atom Bomb. A closer analogy would be to gun control whereby taking them away from law abiding citizens would leave them only in the hands of criminals.
Comment: Good going Ledin. "A man ahead of his time" Maybe one day sooner than you think we'll have a (Public)National / International (HACKER REGISTRY). Sounds like something the Government would love to get into. Oh! , I'm sorry, probably is already into. So, lets assume that if you (HACK) you're already on their "*** list" (Wouldn't wanna be there.)
Comment: Good going Ledin. "A man ahead of his time" Maybe one day sooner than you think we'll have a National, if not International (HACKER REGISTRY). Sounds like something the Government would love to get into.
Comment: Technically, these young men are hackers. All computer programmers are hackers. What the author meant, I'm sure, is that they aren't crackers--people who deliberately disrupt computer security.
Comment: Kudos for Ledin. He is absolutely right -- teaching how viruses are made sounds like the beginning of a class on how to prevent them. The "G-man" wants to control who gets to learn the insides of computers. We should all know more about the protection we have and how to increase our security, since we ALL rely on computers now and will replace paper and communication in the near future. Wish much luck to Ledin and his potential program!
Comment: Kudos for Ledin. He is absolutely right -- teaching how viruses are made sounds like the beginning of a class on how to prevent them. The "G-man" wants to control who gets to learn the insides of computers. We should all know more about the protection we have and how to increase our security, since we ALL rely on computers now and will replace paper and communication in the near future. Wish much luck to Ledin and his potential program!
Comment: Kudos to this man for exposing the near uselessness of today???s antivirus software. Hopefully some real software security company will also see the value here and provide him with a grant.
Comment: Not only are the big M and S kidding themselves if they think they're staying a step ahead, they'd be incredibly foolish to think that Mr. Ledin is the only one teaching this type of class or that computer science students are doing it on their own. Many businesses across the US that help already infected users, many of which had M & S installed, fix their machines, started out by figuring out how these malware instances are created.
Remaining in the dark ages by believing his tactics are punishable shows ignorance in a field that requires constantly expanding minds. Congratulations to Mr. Ledin for helping today's students truly be well-rounded!
Comment: I am a along time computer network consultant, and I for one, have never felt that I knew enough, about hacking specifically, to do any more than set up my firewall with best practices and keep my servers patched and AV-protected. I wonder what, if anything, gets through.
I really think that these types of courses are necessary for the good guys to understand what the bad guys are doing.
Comment: I Ledin truely wants to help, then he should just allow the computer sucurity compaines (not just anti-virus makers, but Cicso, SunGard, IBM, Microsoft, Apple, etc) have access to the data they are producing. If one of the students comes up with some brilliant new model (like the melissa virus 10 years ago) then the companies can see what to react to. But honestly the source of the security has to come from the harware, and operating system manufacturers. Any lock can be opened, any code broken, any protection thwarted. Minimizing those risks is what it is about, and if someone else is hit first, you benefit from the solution before you are hit.
FiveofClubs
Comment: It pays to be intelligent. People may fear this new mindset, however, in the end it may be what saves us.... This tecnological step in making it to the "next level" can only help us. I hate paying for software that will not protect my system... So if there are individuals who can break McAfee then perhaps McAfee should produce software that is "quality". As there name suggest Mc A Fee... just pay the fee...
Comment: He would be lucky if he just went to prison, because China currently uses capital punishment for many crimes, such as tax evasion, corruption and racketeering.
Comment: He should be sent to prison for a very long time...
Comment: Ledin is perfectly on target and the security companies are clueless. Having worked in the security industry for 10 years I can tell you anti-virus is a racket and I would not have any problem hiring any of his students unlike the dated so called security companies. If you're going to design a better lock you have to know how to pick all the locks out there today. I also see Ledin training the next generation of cybersoldier. China and North Korea have crash courses in computer hacking and our military is playing catch up because other than Ledin there is little in the way of formal education in the art of hacking. If McAfee and Symantec were really concerned about security they would not have been bested by companies like Internet Security Systems and eEye who have next generation technology, which isn't perfect so they're better but not much. The anti-virus companies are out dated and only exist to sell you a subscription.
Comment: i think this is a great idea, exactly what colleges should be teaching. i mean if all these AV software firms are so good then all he is teaching should be common knowledge to them and no big thing. The only way your going to provide a good defense is to know your enemy and this encourages the students to think off the tracks and really push themselves; good work!
Comment: How are we to ever keep up with the bad seed hacker's if we don't think like hackers and come up with better means to defend our information. We still regularly send confidential or very personal notes to each other through e-mail. It's time to move on and be more secure, try something like Whisper Bot that just came on the scene at http://www.whisperbot.com . It allows you to send secure notes to each other, without the chance for someone to just hack your email account and see the informatuion.
Comment: I have to admit, I'm well and truly in Prof. George Ledin's camp here. I find it difficult to conceive of a rational reason that we would want to discourage technological advances and research in the area of computer virus production, intrusion techniques, and development of advanced trojans etc.
The specific reason is that, you can bet that universities in China, India, Israel and Russia certainly teach their students how to do this stuff. You can be VERY sure that our nation is under more or less constant attack and there are intrusions DAILY into both private , corporate and government computer resources.
I have a question for anyone suggesting that Prof. Ledin's work is less than valuable. How exactly should we defend against such attacks as the ones we experience presently. The number of highly competent network engineers and programmers I have met is VANISHINGLY small, relative both to the overall number of engineers and programers.
Furthermore, the next generation of programmers entering formal computer science education is even smaller than the current and previous generations.
The popular assumption being that all programming will be done in Tel Aviv, Mumbai, Chennai or Guandong rather than in Philadelphia, Wausau or Los Angeles for 1/2 the price.
The problem is we endanger ourselves by thinking that proliferation of these skills is the problem. The problem is that not enough people are trained and knowledgeable in the techniques and methods necessary.
This argument essentially suggests that we shouldn't - for whatever reasons - allow researchers or students or professionals unbridled access to this material. Failure to energetically engage technology and science on the part of our society is a MAJOR failure, this leads to over utilitiy of the resources we do have, cloistering of information and the continued encouragement of mass incompetence with regards to the technological underpinnings of our society.
If a new virus is produced that simply circumvents the security of Mc Afee, or Nortons, we must await the tireless efforts of small reaction teams of highly trained and dedicated staffers who might have only hours to react and defend against a major threat. The pool of potentials is vanishingly small and arguments such as these don't help , and really speak to the cultural ideals of ignorance which is so expertly cultivated in the media.
Comment: 100 % correct on this one we need to come up to speed, Take the instance in SF where one man held the city at bay(pun intended) because no one else had the skill to crack him. I was always taught and shown if you have access to the box you own it and have yet to find that not to be the truth. so why was the city data held hostage. lack of knowlageable personel. my horse for a good IT guy
Comment: When has more knowledge not both harmed and served society? The difference has always been the character of those with the knowledge. My belief is that adding security after the operating environment is created is similar to adding buggy whips to carriages after the horse is hooked up.
When security bugs are no longer built into our operating environment we will no longer need buggy whips like security add ons.
This professor is adding knowledge, parents are tasked with adding character before the professor gets the students.
Jim
Comment: I appreciate this article because it shows education is being used for an actual purpose. It sounds valid that to teach students how to hack, they can in turn create programs that could be designed to have better safeguards. Similarly it reminds me (and I'm relieved, too) that no program is truly "safe" because of hackers. We call them hackers, but all these people do is find loopholes in programs. If they were in the profession of law, we would if we had high incomes hire of these " tax lawyer hackers" to find loopholes in the law to protect as much of our large incomes as our money could afford. It's also interesting to note that what one calls "hacker" in one country is not in another. For a country that drools about free speech, some European nations have more relaxed laws security.
Back to Ledin's class, he is doing what any good teacher challenges his learners: Think outside the box and/or think how someone else would approach this challenge.
Comment: Every invention or technology has its positive and negative impact on human beings. Nuclear weapons obliterate, but nuclear reactors give energy to support life. Toxic chemicals kill, yet pesticides help to improve harvests.
Whether what Ledin does is morally acceptable or not is hard to gauge. There are hundreds of hackers all over the world, but few are indicted or convicted. Until his students produce virus to infect the standard software, they could be left alone for the time being. Nonetheless, by then it may be too late for the computer industry to get away with the nasty if not disastrous onslaught.
Well, should there be a pre-emptive measure so that any culprit suspected of intending malpractice can be nabbed by the law?
(Tan Boon Tee)
Comment: Every invention or technology has its positive and negative impact on human beings. Nuclear weapons obliterate, but nuclear reactors give energy to support life. Toxic chemicals kill, yet pesticides help to improve harvests.
Whether what Ledin does is morally acceptable or not is hard to gauge. There are hundreds of hackers all over the world, but few are indicted or convicted. Until his students produce virus to infect the standard software, they could be left alone for the time being. Nonetheless, by then it may be too late for the computer industry to get away with the nasty if not disastrous onslaught.
Well, should there be a pre-emptive measure so that any culprit suspected of intending malpractice can be nabbed by the law?
(Tan Boon Tee)
Comment: Every invention or technology has its positive and negative impact on human beings. Nuclear weapons obliterate, but nuclear reactors give energy to support life. Toxic chemicals kill, yet pesticides help to improve harvests.
Whether what Ledin does is morally acceptable or not is hard to gauge. There are hundreds of hackers all over the world, but few are indicted or convicted. Until his students produce virus to infect the standard software, they could be left alone for the time being. Nonetheless, by then it may be too late for the computer industry to get away with the nasty if not disastrous onslaught.
Well, should there be a pre-emptive measure so that any culprit suspected of intending malpractice can be nabbed by the law?
(Tan Boon Tee)
Enter comments if any for reporting abuse
STRATEGIES Isn't it ironic: Xerox is hoping it can profit by teaching companies how to reduce their printing.
Sponsored by
|
Sponsored by
|
Loading Menu
