09.23.07
Educational Hacking?
I was browsing my Bloglines the other day and I saw an interesting post title on the McAfee AVERT Labs blog. Federico Barbieri had write a short post entitled, "Educational Hacking? Is it really a good idea?" After reading the title, I expected a write-up on universities offering ethical hacking and malware authoring courses and I was quite excited to read what Federico had to say. Instead I found a post questioning the disclaimer that we see attached to most "questionable" software, "For Educational Use Only". This is still an interesting topic and I wanted to address it.
A few specific examples were addressed:
- "Hacking Kits" sold on auction sites (Dave Lewis recently mentioned this at LiquidMatrix.org)
- Sniffers designed for specific purposes (stealing passwords for example)
- Malware creation toolkits.
Now first, let me address that I don't believe "educational disclaimers" constitute "educational hacking". The original intention of these was to CYA, although I wonder if the disclaimers were ever tested in court. Essentially the person is saying, "This can be used for malicious purposes, but that wasn't my intent. I'm not responsible if you choose to use it that way." It's basically like seeing a gun with the disclaimer, "Not for use on Humans".
In the end, Federico decided not to debate the issue but instead to question the academic merit of the tools. One comment addressed the Malware creation toolkit pointing to personal AV testing. If your AV software can't detect basic viruses created with these toolkits available on purchase by anyone, do you really want to be using it. This isn't the only benefit to malware creation toolkits. The biggest benefit I can see is for those interested in AV analysis. You create the virus via point and click... picking specific vulnerabilities, actions and packing processes. Afterwards you run the virus and attempt to work backwards to the initial settings you chose. You watch it's actions with a debugger and a sniffer. I would say this is definitely educational and there's a good chance many people in InfoSec did this sort of thing when they were first playing with security.
As for some of the other items offered, I believe that the single comment on the post had merit on this point as well. Know thy enemy. That is an educational purpose... is that the primary purpose? Perhaps not, but it is a secondary purpose now that the software has been released. I cut my teeth with a couple of networked computers and plenty of software that said "For Education Purposes Only"... it's why I'm in security today. So yes, I'd say that these tools do have educational value, even if their authors don't intend that when they release them.
In the end the disclaimer is there to add legitimacy to the software and (potentially) cover their ass. The truth is that this software is educational to those people without malicious intents. Would I call this educational hacking? Nope... Would I call it an interesting conversation? Definitely.
kurt wismer said,
September 23, 2007 at 6:03 pm
“You create the virus via point and click… picking specific vulnerabilities, actions and packing processes. Afterwards you run the virus and attempt to work backwards to the initial settings you chose. You watch it’s actions with a debugger and a sniffer. I would say this is definitely educational and there’s a good chance many people in InfoSec did this sort of thing when they were first playing with security.”
indeed, i’m sure many in infosec and even outside of infosec did this sort of thing… i believe sarah gordon covered this set in her paper “the generic virus writer II”… 3 guesses why that set warranted mention and the first 2 don’t count…
if you must experiment with viruses, experiment with ones that already exist, not ones you make…
JaceTheAce said,
September 26, 2007 at 6:30 pm
I”ve seen this alot lately - the subject and the practicing of. The coverage shows the anxiousness society has with public open malicious development.
i just spent the past days at large conference and even the Presenters of the study session were displaying and encouraging ‘engaging’ the malware situation deeper: like so.
Unfortunately no obvious answer yet with the fine balance between Tool and Instigator. They’ll just have to do like you said, test these each individually in court with a nonpartisan Judge.
I believe the pressure of the sincerity people have for this subject maintains honesty well enough for the time being.
It becomes blatantly obvious if people take their Home-Malicious tools though and release the self controlling and self-deciding destroyer on its own.
i Find i learn and take in new programs/coding the best when i can get my hands on the source code- then run it and debug, then go back, change some values, objects. Later - prolly inject/change/add/modify the program to learn more again.
To bad for this subject the program - is malicious related.
princess of antiquity said,
October 1, 2007 at 5:36 am
Personally, I don’t believe that it is essential or even needed to do this kind of experiments. I still think that it is still better to learn how to design a good security rather than protecting it by blocking known attacks. We don’t need to know all of them, because at the rate they are growing, we’ll never finish. Instead, I think that we just have to assume that its there. ‘Coz if its not meant to be hackable, then, it shouldn’t be.
But, hey, what do I know, I’m just a student. ^_^