Fourth year computer science students at the University of Calgary will still have the opportunity to create malware in a controlled setting this fall, despite vocal opposition from members of the anti-virus community.
The proposed course, to be taught by assistant professor John Aycock, is going to run as planned with proposed input from the IT community.
Roman Cooney, a spokesperson from the university’s external communications office, described the international response to the course’s announcement as “”naive.””
“”What this program is about is not teaching people how to write viruses, but to stop other people from writing viruses. There’s a big distinction there that I think has been missed,”” Cooney said.
While course assignments will involve students creating malware, such as computer viruses, worms and Trojan horses, the focus will be on understanding hackers and the way they think in order to rein in the exponential growth of viruses, he said.
Ken Barker, head of the University of Calgary’s Computer Science department, said that by training students on the intricacies of malware, they will be more adept at identifying security issues once they leave university.
“”If we have highly trained people who understand thoroughly the process by which viruses are created we are in a much stronger position to defend against hackers and what they’re doing,”” Barker said.
Besides, Cooney pointed out, any good hacker can find what they need to write a virus on the Internet.
“”You can’t get into this program until the fourth year of university, and there are cheaper and faster ways of finding out how to write a virus than working hard at university for three years to get into a course about viruses,”” he said.
The difference, of course, is that this is an academic course dedicated to understanding the mindset of hackers and not a how-to guide on becoming one, he said. He also noted that the university has taken a number of precautions and steps to prevent students from abusing the knowledge gained in the class. This includes using isolated computer systems not connected to mainframes or external computers, he said.
Mark Morrissey, coordinator of a course called Malicious Code and Forensics at Portland State University, said that he doesn’t see anything wrong with this approach, but predicts that the U of C course will change its focus down the road. Morrissey speaks from experience. His university used to teach a course which incorporated the creation of viruses as a learning tool.
“”We don’t do this anymore for a specific reason. We decided (after running the class for four years) that all we’d done is teach people how to write viruses — we hadn’t taught them anything about security or digital forensics. Our goal was ultimately not to produce a better virus writer, but to produce more security-aware students who can produce software that’s not as vulnerable to viruses and the like. That required a different approach,”” Morrissey explained.
“”Teaching someone how to break into a house is not going to teach them how to make their own house more secure,”” he said.
According to Cooney, the university contacted a number of organizations asking for input on the course and recieved no response. However, once a press release was issued by anti-virus organizations AVIEN and AVIEWS Monday, response has been substantial.
“”We’ve had offers to participate in the course and have had organizations volunteer to send people and help set the curriculum. Over the summer we intend to work with these folks to include their agenda in the curriculum,”” Cooney said.
Robert Vibert, a spokesperson for AVIEN and AVIEWS, said that he has not heard from the university before or after the press release was issued, but stressed that the door remains open for the anti-virus organizations to work with them provided the course participants do not create new viruses.
“”I am still hopeful that by interacting with industry groups they will be able to come up with course material that won’t involve the creation of viruses,”” he said. Vibert learned of the continuation of the course from ITBusiness.ca.
Despite this sort of backlash to the proposed course, Burns said that the IT community at large “”gets it.””
“”They understand that to stop a hacker you have to think like a hacker. In IT circles, they understand the need to drill down into techniques and tricks and that to tackle (hackers) you have to think the way they do,”” he said.
Cooney agreed. “”You’ve got to know your enemy — that’s what this is about. That doesn’t mean you’re going to abuse it. We want to stop these guys (hackers) from screwing up our computer systems. That’s the reason behind this,””