<div class='os_post_top_link'><a href='http://www.pcworld.com/news/article/0,aid,110938,tk,dn053003X,00.asp' target='_blank'>http://www.pcworld.com/news/article...n053003X,00.asp</a><br /><br /></div>"When the University of Calgary announced plans this week to offer a course that includes instruction on writing computer viruses, officials expected the antivirus industry to support the move--designed to help educate future virus fighters. Instead, industry leaders have roundly criticized the plan.<br /><br />"It legitimizes the creation of destructive code and provides justification for virus writers to do their work," says Robert Vibert, administrator of the Antivirus Information and Early Warning System and the Antivirus Information Exchange Network. Both organizations help antivirus researchers and virus fighters share information about new and emerging threats."<br /><br />Interesting to see such a controversial move being taken by the university in my home town. What do you think? Is there value in this approach, or is it just asking for trouble?

I hope they offer it as a weekend course.

Lessee, my student number was a 9xxxxx and I was there eight years ago. They must be well into the millions (if not actually into ten millions) for student numbers by now.

Frankly, this is somewhat akin to teaching classes on how to make explosives out of ordinary household chemicals. What would be the purpose of the class ? If you want to find out how to do that kind of stuff, there are plenty of resources. Using educators to propogate the knowledge is not very bright. :idea:

I have to completely disagree with dma1965. The best way to educate people on the threat of virii is to educate them. One thing we need less of in the world is ignorant people. dma1965, I'm not say that you are, but I think it has legitimate educational value. Granted, some people who take the class may have ulterior motives. I think over all it would be a very educational class to take. I'd go if I lived in Calgary...

What about a class for bomb experts? Isn't that the same principle? Obviously in a class like that, they would teach how bombs are made, but the purpose of the class is to prepetuate understanding....

I hope they offer it as a weekend course.

Nah, more like M-W-TR 2:45 -> 3:50 A.M. :wink:

Steve

While it may be natural for some CIS students to "play" with writing malicious code, I can't believe a University would actually teach doing it... :roll:

At Iowa State University there is a course where two teams build a server (easy enough for ComE majors) and also program a virus and anti-virus program. They battle each other until a server is brought down. Just a interesting side note.

But really though, if you are having to teach how to program viruses, this will not become a problem. It would be hard to create an effective virus writer from a class. It reminds me of a story of a Purdue University student who happened to be Pakistani; when this student registered with the INS (as reregistration was required by DoJ) the person noticed that this student was taking a Nuclear Engineering class. Now, as it turns out Nuclear Engineering is the easiest engineering elective offered; even though the student had to beg from being referred to a lengthy review process, there was never a threat. Why? Because a single class is not sufficient for significant harm. Same thing here, take a C programming class and tell someone what a master boot record is, that is sufficient for a bothersome virus, but there is not need to be over protective.

Interesting to see such a controversial move being taken by the university in my home town. What do you think? Is there value in this approach, or is it just asking for trouble?
Is there value in the approach of offering this course in your hometown? I doubt it.

OH, I get it :roll: , you meant value in teaching the course at all!! Ohhh..
Yes I think there is -- if they teach concepts as opposed to teaching how to write a virus. I don't think an exercise like "write a virus that does such-and-such" is beneficial, but I do think an exercise like "I (the instructor) wrote a virus -- figure out how to analyze and stop it based on the virus writing techniques we studied".

I have to completely disagree with dma1965. The best way to educate people on the threat of virii is to educate them. One thing we need less of in the world is ignorant people. dma1965, I'm not say that you are, but I think it has legitimate educational value.

You can be educated to the dangers of things without actually creating them. Do medical schools teach doctors how to make poisons in order to teach them how to diagnose and treat poisoning cases? I don't think so.

However, given your outlook, I suppose you'd also support a course teaching how to spam. :-D

Steve

But really though, if you are having to teach how to program viruses, this will not become a problem. It would be hard to create an effective virus writer from a class.
Why not? If this is a one-semester class for computer science majors, they already have decent programming training, and you can do a lot of programming in a semester. Viruses are usually small, and I'd think you could easily code a fairly nasty one in a semester.

It's not like the operating system and compiler classes I took, where you just got some broad overview and a few projects because compilers and operating systems are typically large, complex programs.

One of the experts in the article I read said that programming a virus was a fairly trivial task. He said that programmers with talent got paid for doing programming and didn't need to write viruses.

Steve

I had to think about this one for a bit. My gut instinct was, "sure... why not" and then I began to read what I first thought was the best argument against the class: "we do not teach doctors how to make poisons, so we shouldn't teach programmers how to write virii". That made sense to me at first until I realized that poisons DO NOT THINK (ie. you don't need to THINK like a poison in order to aid someone who has been poisoned). [Note: no offense to Pony99CA intended... I initially agreed with your argument and then decided to disagree :) ] Of course, virii don't think either, but their creators do.

Why does this matter? Well, there is a problem solving process known as the "adversarial method" which involves putting yourself into the shoes of the person on the other side of the problem. This method is particularly good for writing algorithms because if you can figure out the worst scenario possible, then you "should" be able to write a good algorithm for the solution. For example, let's say you have in your possession, the most "secure" code and hardware on the market. How would one improve on this system? Well, the best way would be to try to break it by attempting to write a virus that takes advantage of some previously vulnerability in the code. In order to do this, you would need to be VERY good since you'll be writing a virus to break the "best". As such, a course (or even graduate degree) in virus writing would be important.

Today, our method of virus protection is really a "fire-fighting" approach. We wait until an experienced hacker writes a virus to break a previously secure application and then we write a patch to fix the vulnerability. This course may move us towards a "proactive" approach in which we (the good guys) find the vulnerability first and patch the problem before hackerX figures out the vulnerability.

All in all, I think this is a great idea. We need to be more proactive in our approach to fighting virii. I just hope some basic background checking and interviewing is done before admitting a student into a "virus creation program". For a single course, I don't think this is necessary. Just remember, if the course were a "anti-virus course" then nobody would be complaining BUT odds-are that the curriculum would be the same as the "virus-creation" course since the lowest common denominator in either case is the requirement that the student needs to be able to identify vulnerabilities in code in order to either patch them or exploit them. "Six or half a dozen"... it's all the same except the name :)

Pro: Know your enemy. While virus writing remains a "dark art", there is less incentive for "good guys" to fully examine how viruses are created, how they work, and the psychology of the various different types of virus author.

Con: It brings potentially dangerous knowledge to a wider audience.

In summary, I guess the outcome will depend on the quality of the course and the individual students that it attracts.

Another dumb ass idea brought to you by a typical "Insitution of Higher Learning".

I think the problem is more in the way it was announced, or at least reported. They seem to simply say that as part of the course the students would be taught how to build a virus. If instead they had stated that in order for students to better understand how to fight virii they would be shown how to build them. A suttle difference, but it does send peoples minds in a different direction when they read it.

....anyway, isn't it better to understand your opponent, then it is to be ignorant of their methods? Plus, consider this...wouldn't it be easier to identify people who may lean in that direction in a class then it is to find them in someones basement. ;)

Dave

"What do you think? Is there value in this approach, or is it just asking for trouble?

Sure there's value, simply from the "know thy enemy" approach to problem solving.

And I fail to see how it could be asking for trouble. First off, the type of people who get a thrill out of harming other people don't wait until they're in college... antisocial behavior starts when they're much younger. And secondly, anyone who takes that class has to know she's going to be popping up in a law-enforcement database somewhere the next time a major virus investigation begins. The way I look at it, it just doesn't make sense to worry about it.

--
Roger

I may be totally off base, but think the sort of person who wants to create a virus would be hanging out on the internet in hacker sites, protected be several levels of IP spoofing, under a cryptic handle, not openly registered with their real name in a college environment. The student, I would hope, is there to understand, with the intention of preventing and fighting.

Who, knows, one of those students might eventually write a virus immune OS.

The best way to fight anything is to know how your opponant works and thinks. The best people working to fight hacking are former hackers. Its true that some may use this class to start writing viri, but come on, do you really think that anyone who would go to a class on how to write viruses would really be the problem?
The problem is with the hacker who has been coding since age 5 and doesnt care about the destructiveness of his code.

The best way to fight anything is to know how your opponant works and thinks. The best people working to fight hacking are former hackers.
You can get this benefit without actually creating a virus. You get some former virus writers as guest lecturers to understand how they think. You deconstruct the code of existing viruses to know how they work.

Will you learn how to write a virus? Probably, but you won't be creating a new one.

Steve

However, given your outlook, I suppose you'd also support a course teaching how to spam. :-D
I already have my tickets for the spam conference.
http://www.j-walk.com/blog/docs/conference.htm
:way to go:

I already have my tickets for the spam conference.
http://www.j-walk.com/blog/docs/conference.htm
:way to go:
That is *funny*. :)

The term 'Software virus' has a strong prejudice stigma attached to it. Usually interpreted as being malicious. And for those who *have not* experienced any software development in creating a virus, they're views on it are immediately biased. You can't blame them though; the public only knows of 'bad' virii, as there is never any mention of their good benefits. And yes, there is much to benefit from such experimentation.

Powerful knowledge, when applied can be used for good and evil (nothing new here). An intelligent software virus comprises of many of the exact same attributes as those involved in the research for A.I. (artificial intelligence). But you never hear the media scream headlines, "a new piece of A.I. software has wreaked havoc to millions of email systems and servers".

Now place your hamster into that running wheel within your head and think for a moment, placing yourself in the position of what it takes to write a piece of software that above all else, its sole rule to stay alive is to multiply. Using only the intelligence within itself to take advantage of the environment and resources around it and continue to spread. hmm.. sounds almost like the human race. And just like some unbalanced individuals who turn on society, so do some virii. But the principal point remains that the challenge in creating such 'art', far exceeds other types of development. It also actually takes a bit from game theory. Watch out for those game developers, they can hack out virii too! Oh, but its ok to teach game development, they can't hurt anyone. :roll:

Now most software virii are dumb. And to compensate for its inadequacy's it is therefore turned to be malicious. Much like those early years during a boy's puberty. And coincidently, that is the same demographic where most such software virii emerge from (go figure, a lesson in parenting? hmm...)

Now although it may sound like I'm praising virii writers, in fact I'm just trying to educate people on some of their benfits.

I have come across many programmer's in school and the working world, and the most talented individuals were usually those who have experienced software development at the lower level of machine programming. Below the multitude of abstractions and API's. These people hack and slash and break and rip all that is deemed conformity. Such people understand the systems better then those who originally developed them. These are also the same people who can see the cracks in security and judge stability. For many years, while corporations have turned their talents away, the government has collected their services and used them to improve their systems above the rest.

Now a single course in a semester will most likely not make you that elite, but it may provide some enlightment, and instigate the path to such skills. A great benefit is also the fact that you have guidence by the education system. This action is very proactive in supporting the security industry. It is a foolish mistake by a security/antivirus company to reject such talent which quiete possibly can assist your product development.

The technology we use today has evolved from the progression of constantly emerging software ideas that push and break the barriers. And I believe that such a course will do more good then harm.

0X

As a current computer science student, I must say that I consider this attempt to be misguided at best, and idiotic at worst. Of course, teaching students antivirus techniques is an important goal, which has contributed to the many network security courses already being offered. But teaching students how to write viruses themselves is not the only answer, nor in my opinion is it the best one. It is not necessary to write viruses in order to learn about viruses or the mindsets of their authors. Some of the other methods that have been suggested here, such as analyzing existing viruses and guest lectures by former virus writers, are equally if not more effective at teaching these skills, especially in a one semester course.

A course of this kind has some pretty clear disadvantages though. I know that I wouldn't readily trust my university to safely contain these viruses from the network. Also, from personal experience I would definitely argue the notion that those attending college are unlikely to commit malicious actions such as writing viruses or hacking. Many computer science majors are indeed those who have been at it since they were five years old. Implying that anyone who takes this course is planning a career in virus fighting is simply naive. Also, I don't believe any of the suggested background checks will be implemented. Increased education is a good thing, as is teaching about the psychology of virus creation. But this isn't the way.

Just my 2 cents.

I wonder what kind of liabilities this opens up for Colleges/Universities? Normally, they would be able to shield themselves behind an "Acceptable use policy" that would enable them to expel the student that wrote and released (either accidentally or on purpose) malicious code...

Steve

Sedwo: Give me one example of a beneficial software virus. I.e. a piece of software that does everything a virus does: i.e. propogate itself to other systems WITHOUT the owner's knowledge.

Frankly, there's a HUGE difference between virus writing and A.I. technology. A.I programming doesn't try to reproduce itself and virii don't "figure out" how to replicate itself - it replicates itself the same way all the time. I think there's a pretty darned good reason why 'Software virus' has a stigma against it - it has earned it.

In the article there was one person who said that virus writing is not very complex - that's why 15 year olds write them. I've seen the code for the "I LOVE YOU" virus that hit a year or two ago and frankly, it's really simplistic. Of course I can't speak for all of 'em...

I think they should have just made this a simple security class called "Virus Protection" - and they could just go over how virii are written and then how to prevent a system from being infected and how to find the patterns virii show in the files they infect.

I think they should have just made this a simple security class called "Virus Protection" - and they could just go over how virii are written and then how to prevent a system from being infected and how to find the patterns virii show in the files they infect.
I wonder if this is what the class actually is, and they just tried to make it "interesting" to sell it to students.

Now place your hamster into that running wheel within your head and think for a moment, placing yourself in the position of what it takes to write a piece of software that above all else, its sole rule to stay alive is to multiply. Using only the intelligence within itself to take advantage of the environment and resources around it and continue to spread. hmm.. sounds almost like the human race.

Yes, it's interesting how we classify organisms. We call ourselves mammals, but all other mammals achieve equilibrium with our environment. We are more like the virus that parasidicly drains its current enviromnent and moves on to infiltrate the next. 8)

This thought brought to you my Agent Smith. ;)

Their report's here (http://www.ucalgary.ca/news/may03/virus.html). More goodies here (http://www.cpsc.ucalgary.ca/News/virus_course.html).

Among the goodies:

Students must be in the fourth year of our program and are only permitted into the program with the consent of the Department of Computer Science.

The laboratory will be housed in a secure laboratory that is locked 24 hours per day 7 days per week. Student access will be monitored and limited to only students taking the course.

No removable media will be taken out of the laboratory once it is brought in so there is no risk of viruses leaving on a floppy or removable hard disk.

No "wireless access" point will be used within the laboratory so nothing can "leak" out through the air.

No "wired" access to the computers in the laboratory will exist. Although the computers in the laboratory will be networked together, it will be impossible for a virus to leave the laboratory as no wired connection will exist to outside computers.

When the course ends - the computers used will be completely cleaned by having all removable media destroyed and all hard disks completely scrubbed down to the BIOS.

Although scrubbing a hard disk down to its BIOS sounds kinda difficult to achieve. :wink:

I still don't see any real threat. You cannot teach anyone enough in one class to create terrible havoc, there are plenty of subsitutes to a class to learn how to do this. Don't all higher level scientists eventually learn about Anthrax and other hazards? What is a com. sci. student wanted to work for Norton, McAfee or even the NSA? There is real no threat here.

It doesn't seem like a course in "how to write a virus" -- but more like, "how viruses are created and how they work." There's really big difference between the two. Just because you are a car mechanic and can fix cars, does not means you can build one from scratch.

And I think those that got this far into their college education would not go off on a tangent and do malicious things with what they've learned. If people think that this threat far outweighs the benefits of such a course -- remember the university/college near you probaby offers a major or even graduate courses in toxicology/microbiology/virology. I can just see the torrents of anthrax and VX-gas bombs coming now.

Sedwo: Give me one example of a beneficial software virus. I.e. a piece of software that does everything a virus does: i.e. propogate itself to other systems WITHOUT the owner's knowledge.

Actually, I believe somebody proposed one, and may even have implemented it. It was a virus to stop another virus. It would go look for either vulnerable or infected systems and either close the vulnerability or remove the virus.

If it is a preventative virus, closing loopholes in various systems, you could argue that's a beneficial virus.

Here's an article that discusses them (http://librenix.com/?inode=80), and why even they might be bad ideas.

Steve

I still don't see any real threat. You cannot teach anyone enough in one class to create terrible havoc, there are plenty of subsitutes to a class to learn how to do this.
Of course you can teach someone enough in one semester to wreak havoc. How long do you think it took for somebody to write the Melissa virus?

Don't all higher level scientists eventually learn about Anthrax and other hazards?
Learning about and creating are two different things. That's my point.

Steve

And I think those that got this far into their college education would not go off on a tangent and do malicious things with what they've learned.
Really? Do you remember Robert Morris and the UNIX worm (http://www.swiss.ai.mit.edu/6805/articles/morris-worm.html)? He was a graduate student at Cornell -- pretty far into his education, I'd say.

Steve

Actually, I believe somebody proposed one, and may even have implemented it. It was a virus to stop another virus. It would go look for either vulnerable or infected systems and either close the vulnerability or remove the virus.

If it is a preventative virus, closing loopholes in various systems, you could argue that's a beneficial virus.

Here's an article that discusses them (http://librenix.com/?inode=80), and why even they might be bad ideas.


Personally, I like to know what's running on my system. Sending out a virus to stop a virus is rolling the dice that there isn't a flaw in the "beneficial" virus.

I've seen Norton Anti-Virus and other virus detection programs identify somewhat important files as being infected - when they were in fact clean. I would not want a virus going around my system fixing files it thought was infected without any notification.