A new college course is stirring up a firestorm of debate in the security community.
The University of Calgary in Canada is opening registration next week on a course, slated to start in the fall term, that will teach students how to write viruses and worms. Educators say it’s not a dream class for the black hat community. They’re hoping that by teaching how to write viruses, they’ll be helping their students — possibly future anti-virus warriors — better understand their foe.
However, many in the anti-virus community say the university is playing with fire. There’s no need to teach anyone how to write viruses, which are an ever-increasing threat to the online world, costing companies and individuals billions of dollars in damages every year.
Several anti-virus vendors, such as Sophos, Inc. and Trend Micro, have said they will not hire anyone who has taken this class.
”We applaud their motivation to educate people about this issue,” says Chris Belthoff, senior security analyst at Sophos, which is based in Lynnfield, Mass. ”It’s their methods we have a problem with… Once they teach someone how to write a virus, how will it be used in the future? If anything written in university labs got out in the wild and infected systems, what would that lead to?”
But Dan Seneker, coordinator of community relations for the University of Calgary, says they’ve taken steps to safeguard the viruses they’ll be working with — students can’t take the class online, for example — and they’re stressing the ethical and legal issues surrounding the topic.
”Ethics, along with security issues and legal issues, will be the first part of the course,” says Seneker, who notes that he’s had inquiries from all over the world, including Georgia Tech, the University of Michigan and the University of Hong Kong, about taking the class. ”This is a topic that has plagued people since the inception of computers. It has cost billions, if not trillions, of dollars of damage.”
The course, called Computer Viruses and Malware, is only open to fourth-year students in the computer science program at the University of Calgary. Students from other colleges are not being allowed into the class. Seneker says they’re bringing in someone from law enforcement, along with a lawyer, to talk about the legal issues involved with virus writing. And they’re bringing in a philosopher to talk about ethics.
Some of the arguments against the course have wielded analogies, such as you don’t teach someone how to break into houses in order to protect their house. But Seneker says those people are missing the point.
”We feel that in order to understand the problem, you have to know about the problem. To understand the virus, you have to know about the virus,” he explains. ”We’ll look at how to create them and the intention behind them. How to create better security measures to combat these viruses.”
It’s actually not a bad idea, if it’s handled properly, says Keith A. Rhodes, chief technologist at the U.S. Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. Handling it properly will be the tricky part.
”No, you don’t teach people to be cat burglars to better protect their house, but some people hire a professional break-in artist because they’ll notice things that a thief would know and the average citizen wouldnt,” says Rhodes. ”You’re teaching people how to be Internet assassins. Teaching them how to do this as a defensive measure is a good thing. If you’re teaching them absent the ideas of right and wrong, then you’re perpetuating the anarchy that’s already out there. And that doesn’t sound very good to me.
”You need to deconstruct and reverse engineer the virus. That would be helpful,” adds Rhodes. ”It’s one thing, though, to teach people how to shoot a water pistol and another to teach them how to shoot a .44 magnum. If you’re teaching them the technical equivalent of a large firearm, then you better teach them when to use it, when not to use it and firearm safety. What are you doing to instill in them the basic motivation that this must always be used for good?”
But the university’s Seneker says that line of thinking can easily apply to any course, to any type of learning.
”Harvard teaches a course on nuclear physics,” he says. ”What is stopping a student from studying that and turning it to the bad? We don’t think students are going to spend $40,000 and wait around for the opportunity to take this course, only to turn to the bad side. If they want to turn to the bad side, they’ll find a way to do that.”
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.