Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
August 23 2008
Alan: One of the roles that we take on here at Let’s Talk Computers, and we take it very seriously, is making sure that our listeners are educated on viruses, malware, other types of Internet threats. Things like “What are they?” and “How can we best protect ourselves from them?” But, can education on this subject go too far? Our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Well, thank you, Alan. It’s always a pleasure to be here.
Alan: Randy, I know how important it is to always be educated about viruses – what they do and how they affect us. Last week I saw an article in Newsweek that just absolutely floored me about a university professor who wants to teach an actual course, “How to Build a Virus.” Isn’t this taking education in the wrong direction and taking it just a little too far?
Randy: It has to do with exceptionally flawed logic. The teachers aren’t really very good at computer security or don’t have a very good understanding of viruses; or in some cases they do and they are counting on hype to up their attendance in their classes.
A virus really just means that the program is “self-replicating.” The logic which falls apart is that, “Well, you need to be able to write a virus to be able to write protection against it,” which is like saying that, “You need to be able to build a building to tear a building down.” It just doesn’t hold up.
Time and time again we see people that don’t have really good logic skills that come up with this great idea, “Well, I’m going to teach virus writing to make better security professionals.” And in fact, you don’t need to be able to write a virus to write anti-virus. In fact, writing a virus doesn’t help you. If I wanted to, I certainly could write a virus.
Alan: Well, writing a virus, that seems like the easy part. Most people can do that without much effort. It’s the prevention that’s the hard part.
Randy: You can do it in batch file programming - it’s that trivial. “I can’t write an anti-virus product. I don’t have that kind of skill level. And teaching me to write a virus isn’t going to make me a security professional.” It’s a different skill set, all together.
What really amused me in this most recent case is that the teacher who is trying to justify his actions who says, “Well, they are not teaching this stuff in places like Harvard and MIT.” Well, yeah – it’s because they have some educational standards that he certainly wouldn’t meet.
Alan: If you look on a roster of all the different class criteria you will see, How to Build a Website,” And then somewhere you will see, “How to Build a Virus,” Which will you be enticed to go see? I guarantee you will have more people go to see “How to Build a Virus.”
Randy: Yeah, and the people who choose the website, unlike people who choose, “How to Build a Virus,” Actually come out with some useful skills.
Alan: You can go onto the website and find “How to Build a Virus,” in so many different ways. There are actually programs, (free programs) which you can download that will write a virus for you! You just basically tell it what you wanted to do, what attacks you want it to be vulnerable to; and you don’t have to have any kind of education to do this!
Randy: That’s true – additionally, for some one that wants to write their own virus, they need to be taught how to do this and can’t just figure out the algorithm for themselves? Then, maybe computer programming isn’t their field, because if you have a few computer programming courses, you shouldn’t need for them to tell you how to do that. It’s like taking an advanced computer programmer and telling him, “Well, now you have to learn how to write the “Hello World” program. You should be able to figure this out for yourself. It isn’t rocket science!
Alan: If you are a programmer, you understand how program logic flows, but if you’re a “script kiddie,” you have no idea what you’re doing and in a lot of cases, most of these viruses have backfired and that’s how authors get caught, isn’t it?
Randy: Well, yeah – the script kiddies don’t tend to be really smart people. They will do really stupid things like, advertise who they are and not realize that – yeah, we have all got access to your MySpace profile; we have all got access to YouTube, where you put your picture of your hot little car and all this stuff. Yeah, their egos get them caught more often than not.
Alan: I am so glad that this professor didn’t decide to write about, “How to Build an Atomic Bomb,” We don’t need that, do we?
Randy: No, we don’t need that and he probably would have gotten it wrong, too!
Alan: Well, I remember that there used to actually be classes back in the early days on how an atomic bomb was put together. College kids actually went out there and tried it!
Randy: Yes, fortunately the required materials for the plutonium were a bit difficult to get and it raised a lot of suspicion if you went through the steps to try to get that kind of material! But, you know, if you want to become a demolition expert, there is a point in learning how to build a bomb and it can be taught in a safe, controlled environment.
There really isn’t a point in learning how to write a virus – you can figure out how to do it if you’re a competent programmer and then you will realize also, that there’s no point in actually doing it because it isn’t really going to accomplish anything for you. Pretty much any alleged good use for a virus can be accomplished a lot more efficiently without using self-replicating code.
Alan: I mean, if you’re going to look at how to prevent a virus getting on your computer system, it has really nothing to do with the virus, per se, does it?
Randy: No, it does not, at all. You have to understand the behavior of viruses, which is easily understood by reverse engineering the viruses, but writing the virus doesn’t do anything to help you write security software.
Alan: We are talking about teaching how to build viruses in a university. My question is, what are they going to do for homework? How many of these viruses that are to be put together to pass the course are going to get out there in the wild?
Randy: Well, that’s the point. The only thing they can do for homework is waste time. They are not going to do any homework for writing a virus that will result in usable skills. Some of the students may go out to some of the websites that have tutorials on writing a virus and they will learn how to write a virus, without learning anything about security.
The courses are generally in the few instances I’ve seen, where someone had this really bad idea to teach virus writing; they are done in a controlled environment that hopefully the teacher has got almost enough savvy to keep pretty isolated. The actual virus writing occurs within an isolated network.
Alan: It sounds like in a university.
Randy: Like a subnet, a lab in a university that isn’t attached to the physical network. Hopefully the network administrators from the university understand what a stupid idea it was for the teacher to do this and make sure his computers have no access to the Internet. But, the odds of something getting out are pretty small. You can’t say “Zero,” they are pretty small.
The real problem is this is supposed to be an educational institution and instead of teaching valuable educational skills, they are wasting the students’ time by pretending that they are teaching something that the other colleges and universities and competent professors understand doesn’t achieve the goal of education.
Alan: How many sci-fi shows are on TV, with the premise that they did something in a lab and, “oops!” it got away!
Randy: You know, that happens from time to time. There have been anti-virus companies that have accidentally sent viruses to their customers. And they have got a lot more skills than these teachers who think that teaching virus writing is a good idea. So, mistakes do happen and I certainly couldn’t say there’s no chance that it will get out. The chances are pretty small, but it’s not impossible and there is really no justification for taking the risk.
Alan: Well, if I remember right, one of the first viruses that became a major virus on the Internet was someone who was just sitting down to try to see if they could write a virus in a school lab and it kind of got away from them and caused all kinds of havoc, didn’t it?
Randy: That’s the Morris Internet Worm?
Alan: Absolutely!
Randy: One thing that’s kind of interesting for all you UNIX fans out there, is the Morris Internet Worm did not run on Windows. It only ran on specific UNIX systems. It shut down a bunch of the Internet for the better part of the day.
The Morris Internet Worm exploited a few vulnerabilities and couple of them was: unpatched systems or a couple of patches that had been provided that people at that time didn’t think that they needed to worry about.
And the other was a weak password. It got into systems that ran with default passwords like the “admin, root, root admin,” and that combination. The savvy system administrators of that day that had systems could be vulnerable were not vulnerable because they used good security practices, like using strong passwords and patching their systems.
Alan: But, so many people do not patch their system. They look at it and they say, that I don’t need to worry about that, because I’m not running those programs or I only use my computer just to surf the Internet. They really don’t realize that their computer system can be actually turned into a “botnet.”
Randy: An unpatched computer system can just be on the Internet and be compromised without the user interacting with it, just because it’s turned on and on the Internet. It’s really critical that you keep your system patched or else you’re going to become a victim.
Alan: “My computer is just used to surf the Internet and I don’t do anything with it; I’m not on any kind banks; I don’t have any of critical or sensitive information on my computer. Nobody needs my computer.” However, they can turn it into a botnet like we have just seen where our computers, without our knowing it could actually be part of the invasion of Georgia!
Randy: Yes, it’s not that nobody needs your computer, it’s that people want your computer because they can make money off your computer or they can use your computer for nefarious things, such as politically motivated attacks. We don’t have any real evidence right now, but the Russian government is using botnets to attack Georgia. It appears more likely that it is individual, rabid loyalists that are perpetrating attacks, but they are not just used for political motivations, either.
Someone might be disgruntled with they employer and you might have stock in their employer’s company and if your computer is infected they can use it reak havoc on that business by making your computer participate in what we call a “distributed denial of service attack,” where you basically take the company off the web for a period of time.
Additionally, the emails that Grandma gets that convince here that she’s got to give somebody some money, those are often sent from bot-infected computers. You might be defrauding little old ladies with your computer because you thought that your computer didn’t matter to any one.
Alan: Or was being used to put some bad information on somebody else’s computer that actually got them in trouble and “I didn’t even know about it.” I would still feel bad about it.
Randy: Right, I mean your computer could be used to promote a political candidate that you detest.
Alan: Oh, absolutely! In a sense, you are responsible for what your computer does, aren’t you?
Randy: Well, you should be. Legally, right now there is not a lot of responsibility; however, you can get into some really big trouble, too. One of the things that an infected computer can be used for by the bad guys is to store illegal files.
So, your computer could be used to store pirated music. The Recording Industry of America, or RIAA doesn’t really care whether or not you put it there on purpose; they are looking to make examples out of people and you could end up on the wrong end of a lawsuit.
It’s possible that illegal pornographic files could be stored on your computer, because if I want some illegal pornography, it’s a lot safer to store it on your computer than mine. Law enforcement right now, doesn’t have a real good track record of figuring out that maybe the computer it is on, the owner didn’t put it there – some one else did, using malicious software. There have been cases where people have faced trial and even been convicted, wrongly because they had content on their computer that they didn’t even know was there.
Alan: We have seen many, many cases where their whole life has been ruined – they were a teacher or a doctor. Now, it is in the paper that they have had child pornography on their computer and have no idea how they got on their computer. The authorities look at and say, “Well, it’s on your computer so you must be responsible.” Then the media just has a field day with it and their life is ruined.
Randy: We have seen many cases of that and yeah, there are probably more cases. I am sure there are more cases where people put it there intentionally. If you are one of those cases where it isn’t anything you ever wanted on your computer, but you thought you didn’t need the patch, you’re going to find out that patching would have been a very, very inexpensive alternative.
Alan: To me, the right kind of education is so important. I know that ESET has made available transcripts of all of our interviews on their Website, http://www.eset.com and that you also have blogs on tips on “How to Keep us Safe While Surfing the Internet,” on your Website.
Randy: Yes, we do. I’m not the only blogger. We have got a couple of other researchers with significant experiences that are contributing to the blog, as well. If someone reads one of those blog entries and it’s too technical, they can always send an email to askeset@eset.com .
One of my specialties is translating the Geek Speak into things that normal people can understand. It’s an excellent learning opportunity. I’m always happy to help understand better what the issues are and what the jargon means and in words that they can relate to.
Alan: Randy, as always, it’s our pleasure to have you as our guest here on Let’s Talk Computers, educating us on viruses and malware and how to prevent all these nasties from getting into our computer system. We look forward to having you back on the air again, real soon.
Randy: Thank you, Alan. It’s always a pleasure to be here.
Visit ESET on Facebook
Follow ESET on Twitter