Round (V)X in the Debate on Virus-Writing Classes
Wednesday May 23, 2007 at 10:44 am CST
Posted by Karthik Raman
PC World Associate Editor Eric Larkin blogged on May 22 about a new computer science course to be taught at Sonoma State University, in California. Apparently, the school will offer a class in virus writing.
However, Sonoma State’s computer science curriculum Web page does not mention a virus-creation course as I write this.
If Sonoma State’s virus-writing class is reality, then it wouldn’t be the first such controversial university course. Colleges and professors who have in the past offered courses on virus or malware creation have come under fire. At the same time, however, others have given conditional support for these courses.
So is it OK to teach virus writing?
Let’s revisit a recent debate on the subject: In 2003, Professor John Aycock of the University of Calgary, in Canada, announced that he would teach “Computer Viruses and Malware” in the fall. Security expert M.E. Kabay summarized the arguments of the critics of this course: It wasn’t necessary to learn how to write malicious code to understand malware; malicious code written for the class could be used (ahem) maliciously; students might feel encouraged to write malware if the ethics of their actions were not discussed; and the antivirus industry might shun graduates of the course as tainted. Perhaps the strongest criticism of the course, posted in the NTBuqtraq mailing list, was that there were already tens of thousands of virus and worm families for students to “dissect and study.”
The University of Calgary maintained that actual virus writing was only a small part of the course. The head of the university’s computer science department, Ken Barker, stated, “The better we understand something, even if we radically disagree with it, the more likely we are to provide effective mechanisms to counteract it.” He added that students would run their code in a tightly controlled laboratory setting. There would be constant emphasis in the course on the legal and ethical implications of students’ actions. Prof. Barker concluded, “After a careful review of the first offering and upon considering the ongoing need for this level of expertise, the University of Calgary believes that it is in the greater public good to continue to offer the course.”
Despite the care that went into the design of “Computer Viruses and Malware,” some experts still balked at the idea of teaching such a course. Professor Edward Felton of Princeton University said, “There is some merit to the argument that learning how to write malware—under very carefully controlled conditions—can help one to think more clearly about how to defend against malware. But I would not teach a course about malware that way.”
Four years later we’re debating the same issue. We should reserve our judgments until more is known about the class: its title and description, how well it is designed and taught, what kind of emphasis there will be on matters of law and ethics, and what safeguards will be in place to prevent one’s homework from eating the computer.
May 24th, 2007 at 20:04
On some levels I can see why some individuals might balk at a class that teaches potentially malicious knowledge but the open tirades are getting a bit ridiculous. First off the people who are taking these classes aren’t script kiddies. It’s not like they are dilettante and just taking this class so they can be “1337”. These are individuals that obviously can learn the subject matter on their own or they wouldn’t have passed the prerequisites to get in the class. I feel to learn the subject matter in a controlled academic environment is the best way to learn any potentially malicious knowledge. At least in the setting of academia the students can learn in a controlled and screened environment.
November 15th, 2007 at 05:17
I think that this is a brilliant idea and will provide a valuable insight into malware stucture and ways to combat it
Great job
February 17th, 2008 at 02:54
this is a good step to fight back, because teaching students how to write viruses, makes them ready to implement better security tools.