Should colleges really teach hacking?

Should colleges really teach hacking?

Summary: Newsweek featured an interesting article Saturday about a professor at Sonoma State University who actively teaches his students to create malware and otherwise do the nasty things online that cost companies billions of dollars every year.According to the Newsweek piece,[Professor George] Ledin insists that his students mean no harm, and can't cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can't escape.

TOPICS: Security, CXO

Newsweek featured an interesting article Saturday about a professor at Sonoma State University who actively teaches his students to create malware and otherwise do the nasty things online that cost companies billions of dollars every year.

According to the Newsweek piece,

[Professor George] Ledin insists that his students mean no harm, and can't cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can't escape. Rather, he's trying to teach students to think like hackers so they can devise antidotes. "Unlike biological viruses, computer viruses are written by a programmer. We want to get into the mindset: how do people learn how to do this?" says Ledin.

While that may be the case, anti-malware companies have threatened not to hire his students and otherwise point his efforts as potentially destructive.

"Why should we shy away from learning something that is important to everyone?," Ledin asks. "Yes, you could inflict some damage on society, but you could inflict damage with chemistry and physics, too."

His approach seems to make a lot of sense. Does showing students a fire escape cause them to start fires? I don't think so and, having used Norton and other intrusive anti-malware tools too often, I think I'd rather just have one of Ledin's grads handling my security instead of, as Ledin says, "McAfee, Symantec and their ilk, whose $100 consumer products he sees as mostly useless."

Topics: Security, CXO

Christopher Dawson

About Christopher Dawson

Chris Dawson is a freelance writer, consultant, and policy advocate with 20 years of experience in education, technology, and the intersection of the two.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I wish I'd had that class when I was a student

    The best way to understand how to secure a network, is to know how to break into one.
    • I did hve security classes in college

      I had security classes in college but the instructor new nothing about the subject and had no prior experience or back ground so those of us who got interested in it were and still are left with having to learn on our own which is asking for trouble. These classes should be taught to advanced level students who have completed enough regular computer courses to show their sincerity and then the instructor should be required to be certified in the area.

      No telling how many thousands of companies and home users are hit every day by those non intrusive but irritating port scans because some student with no access to a lab environment is doing what he/she can to learn. Or how many un-guided students accidentally infect or hack into the wrong computer or network cause no one taught them what they were doing.
  • Bartending School

    In the mid-70's I took one of those vocational courses you see advertised on late-night TV: "Learn to be a Bartender in One Week". Although I never used it (I went at night, which takes 2 weeks and over the weekend I got my acceptance to law school), it was an excellent course and I would recommend that to someone looking to learn marketable job skills fast.

    One of the class session was "How to Steal". The instructor said straight out, "We're not teaching this section so you can steal. Unlike most bartenders, because you have formal training you know the "fancy" stuff. (Multi-layered flaming drinks, etc.) Because you know the fancy stuff chances are you will become a shift manager or even a bar manager. If you don't know the techniques, you won't know what to look for to make sure employees are not stealing." (It's a LOT more complicated than just taking money from the till. For instance, some bartenders will bring their own bottle and pour free drinks, to increase their tips. By bringing their own bottle, the money in the till matches the total ounces sold. But it is still stealing because patrons would have BOUGHT more drinks if they weren't getting drinks FREE.)

    The professor's reasoning is the same as when an Auditing course teaches accounting students about imaginary employees, check kiting, and other financial theft and fraud.
  • He's exactly right!

    His analogy to chemistry is quite valid - you have to know what could cause damage and how, in order to make sure you avoid it! Chemistry teachers *always* teach you a bunch of things you should never do! Not just "follow these instructions to make compound XYZ."

    Isn't it self-obvious to those developers among us that we need to know how to write secure code, and that a big part of that is knowing where things break? You can't know how they break unless you practice trying to break them. Duh.

    There's periodically a clamor for software "engineering" to actually become an engineering discipline, with a more rigorous approach towards provability and ensured quality, etc. Well, folks, look at any other type of engineering...civil, for example...what do they spend a good amount of time doing? Studying thresholds and points of failure, and learning how to prevent failures precisely by knowing the limitations and what can be done about them! Neither can we in software end up with higher quality, security and reliability without focusing on the weaknesses and learning to design and build based on knowledge of them.
  • Chemistry, phyics, phooey!

    If you're worried about studies that have the potential to cause harm, [b]DO NOT[/b] look into the microbiology labs.
    Yagotta B. Kidding
  • RE: Should colleges really teach hacking?

    "Newsweek featured an interesting article Saturday about a
    professor at Sonoma State University who actively teaches
    his students to create malware and otherwise"

    Just brilliant as if we don't have enough sophisticated
    criminals, virus creators and trouble makers online already.
    Teaching students to create malware and destructive
    software is *bad* what happens when gangsters and
    organized crime seeks them out and they flash money at

    They'll be ethical right? don't count on it.
    • hold it a minute please

      SO your problem is not with the fact that people would learn malware and security busting tech....

      you have a problem what the fact that in this society there no more ethic right ......

      So we are having ethical problem with the society.

      that what thought too thx you
    • Re: gangsters and organised crime

      Like John Travolta in sword fish? LOL this aint the movies and the kind of people approached like that have PHd's from MIT. Not a likely thing to happen to the average security student.

      Even so, if the student lives ethically/morally, there's not much likely hood of being in a place to be approached by someone like that so it's back to societies ethics being the problem.
    • Right...

      So we should take guns away from soldiers and police because they might misuse them. Then make sure your boss doesn't know anything about accounting, because he may decide to cheat you somehow when he figures your paycheck and benefits. And by all means, lets make sure those unethical doctors don't know how virii and germs work, they could all decide to start making bad stuff that could infect us and make us sick, instead of finding cures and saving us from injuries!

      You really need to re-think your position...
  • Most definitely. (nt)

  • Any good college...

    ...with a good technologically based degree program (CS, EE, CIS/MIS) will, undoubtedly, teach students skills useful for hacking. Information Security Management, risk assessment, programming... hell, even psychology/sociology can aid in a social engineering standpoint. The only difference, here, is that the professor does not attempt to hide what is being taught and, for that, he has my praise.

    All too often in the Security realm, we end up relying on graduates who have what I like to term "Textbook Skills". These, though they may be coupled with practice, are still theoretical skills and not up to par with the current technologies. I'll put it this way: I got a hands on tech school degree (2 yrs) and, due to the nature and content of my courses, I knew more about the technical side of security than a CIS Grad (buddy of mine) with the same amount of actual IT-related work experience (none). One of my teachers had the class research hacking tools and attack methodology, as well as the mitigation of their imposed security risks. Sure, those guys/gals will be the bosses of people like me, but there is a real need for a deep technical understanding of hacking.

    I wish more colleges would do things like this. The only problem is that everyone will want to hold the professor/school liable for any damamges or complaints caused by or related to the actions of a (former) student. This is unacceptable. ...It would be like someone holding SANS or EC-Council responsible for unethical actions made by someone who took the courses, whether they passed or not.

    So, I say "Bravo, Professor George Ledin... keep up the good work. We can always use the knowledge of those who can code/reverse engineer malware!" :)
  • RE: Should colleges really teach hacking?

    What's the big deal? This is nothing new. I had number of security courses in my college where we were taught how to use NTFS ADS (Alternate Data Stream) to hide potentially maliciaus files into another file. We were exposed to numerouse existing exploits (which have long been patched) and places on the web where we can find them (and new ones too :). We were tought numerous methods of DDoS attacks. SSH brute force, Packet Sniffing, VLAN hopping - I can keep going, but I think you get the idea. And just like in Prof. Ledin's class, we played with this stuff in a segregated network environments with no external access to the Internet.

    Yes, I can use all these techniques to annoy people around the web and other networks I have access to...but that was not the intention of teaching this stuff to us and it is not what I intend to use it for. Getting your hands dirty in Network Security teaches you to be more aware and gives you a better knowledge of detection and prevention techniques that beyond of turning on McAfee OnAccess.

    In these same courses we also how to look for and detect suspicious filesystem activity without the help of antivirus the case of McAfee, Norton, or other antiviruses don't release a definition in time to detect a new vulnurability. We also learned how to use tools like Snort and Tripwire for NIDS. All of this goes hand in can't teach someone just one side of network security without exposing the other.

    Colleges should continue to teach 'hacking' as it is all part of teaching network security. Besides, most of the stuff is available to everyone in the 'Hacking Exposed' books available at any local bookstore...tells you step by step how to do some of the stuff prof. Ledin probably teaches his class. And instead of refusing to hire people from this class, I on the otherhand would be considering calling them in for a 2nd interview...they would probably be a better candidate for patching a vulnurability then the guy who doesn't know how it may have become one.

    Karate is supposed to be an art of self defence...but when you go to Karate classes, don't they teach you to punch and kick? Can you teach someone to block without attacking them? :)
  • Isn't all in how you label the Course?

    Just seems to me that any decent computer/network security course would include instruction on how to use exploits/malware to comprimise a system. The old adage "Know your enemy" comes to mind. What better way to understand how a malware program works than to know how to build one? If you know how it works, you know how to defend against it. Instead of "Advanced Malware Programming, CompSci 342", it should be (because it is) "Advanced Software Security, CompSci 342".
  • Spin...

    Is it locksmithing or safecracking?
  • RE: Should colleges really teach hacking?

    Should you teach people in med. school anatomy???? Should you teach law students law? Should you teach math students math??? Why would send a kid school and not teach him the basic skills of his trade? You ask some pertinent question in your previous columns, but this one is rhetorical.....I hope??????

    G. Goodyear
  • I doubt that this article is true

    Only terrorists make virus.
  • The real question is what qualifies ....

    ... the professor to teach the course? If the curriculum didn't exist when he went to college how did he become competent in the subject? If it was by performing illegal activities is he qualified to teach?
    • But

      Does that logic lead to the conclusion that anti-malware software is written by either criminals or time-travellers?

      *Edit* Or was that your point?
  • RE: Should colleges really teach hacking?

    This one's a tricky one. The same principle applies to biochemistry students - they need to know how to create a real-world virus which could cause serious ill-health or a "mild case of death".

    The professor in question is right to do this, however vetting for the course/degree programme may be needed to filter out the potential dangerous students from the genuine ones.

    Same vetting procedures apply to degree courses which involve children; it's there for everyone's protection.
  • Already being done...

    My Computer Security course in College had a final project that involved creating a Session Hijacking program with a custom sniffer program.(My personal choice) Other students implemented keystroke loggers, denial of service attacks, etc. My point is its already being done guys, no big deal.