This Bug Man Is a Pest
George Ledin teaches students how to write viruses, and it makes computer-security software firms sick.
The Virus Professor
7/26/08: Why one college instructor is teaching his students how to create computer viruses. (Editor: Lee Wang; Camera: Joshua Fisher)
In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. And Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers—they're students in a computer-security class at Sonoma State University. And their professor, George Ledin, has showed them how to penetrate even the best antivirus software.
The companies that make their living fighting viruses aren't happy about what's going on in Ledin's classroom. He has been likened to A.Q. Khan, the Pakistani scientist who sold nuclear technology to North Korea. Managers at some computer-security companies have even vowed not to hire Ledin's students. The computer establishment's scorn may be hyperbolic, but it's understandable. "Malware"—the all-purpose moniker for malicious computer code—is spreading at an exponential rate. A few years ago, security experts tracked about 5,000 new viruses every year. By the end of this year, they expect to see triple that number every week, with most designed for identity theft or spam, says George Kurtz, a senior vice president at antivirus software maker McAfee. "You've got a whole business model built up around malware," he says.
Ledin insists that his students mean no harm, and can't cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can't escape. Rather, he's trying to teach students to think like hackers so they can devise antidotes. "Unlike biological viruses, computer viruses are written by a programmer. We want to get into the mindset: how do people learn how to do this?" says Ledin, who was born to Russian parents in Venezuela and trained as a biologist before coming to the United States and getting into computer science. "You can't really have a defense plan if you don't know what the other guy's offense is," says Lincoln Peters, a former Ledin student who now consults for a government defense agency.
That doesn't mean Ledin isn't trying to create a little mischief. His syllabus is partly a veiled attack on McAfee, Symantec and their ilk, whose $100 consumer products he sees as mostly useless. If college students can beat these antivirus programs, he argues, what good are they for the people and businesses spending nearly $5 billion a year on them? Antivirus software makers say Ledin's critique is misleading, and that they are a step ahead of him—and the hackers. "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place," says Zulfikar Ramzan, the technical director of Symantec's security team.
Still, beneath Ledin's critique lies a powerful polemic. Ledin compares the companies' hold over antivirus technology (under the Digital Millennium Copyright Act of 1998, the companies' codes are kept secret) to cryptography decades ago, when the new science of scrambling data was largely controlled by the National Security Agency. Slowly, the government opened the field to universities and companies, and now there are thousands of minds producing encryption that is orders of magnitude more complex than code from just a decade ago. That's why you can safely transmit your credit-card numbers online. "Why should we shy away from learning something that is important to everyone?," Ledin asks. "Yes, you could inflict some damage on society, but you could inflict damage with chemistry and physics, too." He hopes one day to share antivirus techniques. But that would require infrastructure and financial support, which the federal government so far has declined to give. Until then, Ledin will have to live with his reputation as the guy who gave away the secrets to the Internet's bomb.
© 2008
Loading Menu
Member Comments
Posted By: joe 6pack @ 08/27/2008 8:06:54 PM
Comment: just what we need
Posted By: Ay1244 @ 08/08/2008 12:13:56 PM
Comment: I'm absolutely outraged by this article. These kids are learning invaluable security skills in a safe environment, and Newsweek is portraying them as criminals in training. This sort of learning is absolutely crucial to writing well secured applications.
Internet security is a real hot button issue in today's computer-centric world, and finding employees that can lock down and secure code is imperative for companies who deal with lots of personal information on the web. Almost inumerable websites have major security vulnerabilities that are just waiting to be hacked by some of the saviest crackers.
How do you fight this? It's relatively easy. If you know how to hack something, if you know where something is vulnerable, if you know where there are flaws in a program; you can use that knowledge to tighten up security on that site. It's not hard logic to follow. In fact, there's an IT job that revolves around this called penetration testing. People doing penetration tests need to know how to hack web sites so they can let major companies know where there are exploitable pages, or coding flaws. Maybe if Oklahoma had had some pen testers check their Sex Offender Registry Roster, they wouldn't have been susceptible to an almost trivial SQL-based attack. http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
Hackers and security professionals have the same set of tools at their disposal, and the same knowledge to back themselves up. The only thing that really sets them apart are their morals and ethics. I'm outraged at how this article is portraying the professor of this course as a criminal, and how they go on to portray his students as his only little private hacking group. I have never seen tech article loaded with so much ignorance before today. The lack of common sense, and the lack of computing knowledge alone is horrendous, even without mentioning how you guys failed to mention anything positive about this program in depth. Furthermore, I have a hard time believing any top security company would refuse to hire these students, and the fact that you don't name these companies doesn't make me believe it anymore.
Posted By: leonb25 @ 08/07/2008 3:24:43 PM
Comment: I think this is absolutely brilliant. I took a computer security course (sadly online) and the amount of stuff I learned in the one semester, I would have drooled in class at the complexity and brain power needed to understand and successfully execute a security algorithm.
I am a freelance pc tech and a systems admin at a firm in manhattan, NY. These students are being armed with the tools they will need when they graduate, hopefully they are in their later years of college. I run across countless computers that have spyware problems, as this is a very profitable business.
Spyware companies spend millions for hackers and other devious code writers to circumvent all possible security holes, tricks, manipulation and the like in an effort to annoy the customer to no end and scare them sh!tle$$. And most computer users are NOT smart enough to know that even buying WinAntivirus will NOT get rid of the virus/spyware problems and popups. Sometimes I have to manually remove dll and dummy files that hide all over the place, to manually starting specific services and removing fake ones that transmit over your internet connection. Software solutions will almost never be enough as there are so many holes to fill, it makes sense to just keep patching them. Windows XP and Vista are so easy to get into, its almost rediculous to even broadcast a tutorial on TV as almost no one will get it, lol.
Just like a mechanic knows how to fix a specific problem with your car, these students will come out knowing how to effectively get rid of these threats and annoyances.
Leon B.