The University of Calgary‘s Department of Computer Science faced critical attack from security experts worldwide Monday over a course where it will teach students how to create viruses.
The course, Computer Science 599.48: Computer Viruses and Malware, taught by assistant professor John Aycock, is to focus on malicious software, or malware, such as computer viruses, worms and Trojan horses, according to its outline. Students will study malware techniques along with countermeasures and “”benevolent”” forms of malware, while touching on legal and ethical issues, and general computer and network security issues.
Although a course of this type has popped up in university curriculums in the U.S. and Europe, the University of Calgary offering is different in that course assignments will actually involve creating malware under controlled lab conditions.
Robert Vibert, a spokesperson for the Anti-Virus Information Exchange Network (AVIEN) and the Anti-Virus Information and Early Warning System (AVIEWS) and principal at Segura Solutions in Braeside, Ont., said the anti-virus community is dismayed by the approach the course is taking.
“”There is no advantage to doing this, but there are many disadvantages,”” he said.
AVIEN and AVIEWS have released a joint statement encouraging Aycock and the university to reconsider aspects of the course, including the instruction of programming malware. Instead, the organizations have encouraged instructing students on “”subject matter relating to the prevention, protection, and cure, rather than how to attack and destroy.””
While the course outline clearly states that any misuse of the lab and its protocols in regards to creating malware will result in an “”F”” grade in the course and potential civil and criminal penalties, Vibert said that as in everything, security is only as good as the weakest link.
“”There’s nothing stopping them from learning how to do it and write a slightly different virus at home. This is giving them skills that they can apply without copying anything out of the labs,”” he said. While he wouldn’t go so far as calling computer lab security an oxymoron, Vibert said that a lot of students make it a priority to get around security.
Dan Seneker, a spokesperson for the faculty of science at the University of Calgary, said that the department has been contacted by people from across the globe in an overwhelming response to the course’s announcement. He said that while the department could not issue any comments by press time, a statement would be released on Tuesday.
Rob Slade, a Vancouver-based security expert and author said that despite the ethical questions surrounding the course’s teachings, the knowledge gained would be largely useless, practically speaking.
“”Learning how to write a virus doesn’t translate to the defensive side. As a matter of fact, concentrating on learning how to program malicious code is a waste of effort in learning how to defend systems. By focusing on specific items and approaches, you’re going to be concentrating on items you’re familiar with, and either ignore or be unaware of the thousands of other approaches out there,”” he said.
He went on to paraphrase an analogy once used by security expert Gene Spafford: pouring sugar into a gas tank doesn’t teach you anything about auto mechanics.
Academic value aside, anyone taking the course could potentially hurt future career prospects, Vibert said.
“”None of the students would ever get a job with an anti-virus company, and it’s likely that most corporations wouldn’t feel comfortable hiring someone who wrote viruses as a part of course work,”” he said.
With more than 80,000 viruses already in existence, Vibert cannot justify the need to write more.
“”Nobody’s come up with a good reason why they can’t pick and analyze one of the viruses already out there,”” he said.
Rob Rosenberger, an Iowa-based security critic and creator of Vmyths.com, a Web site dedicated to revealing the “”truth about computer security hysteria””, said that a course like the University of Calgary’s was inevitable and potentially harmless.
“”It may sound controversial, but I don’t see an average Joe Blow student going into Computer Viruses 101 and becoming an über hacker. I don’t think that any Pandora’s Box is going to be opened here, and no genie is going to have to be stuffed back into the bottle. As long as it’s controlled, I don’t have a problem,”” Rosenberger said.
–Illustration by Jarrett Osborne