May 27, 2003 (01:05 PM EDT)
Virus-Writing Class Creates Stir

Read the Original Article at InformationWeek

A new course about viruses and malicious software on the fall schedule at the University of Calgary has drawn sharp criticism from some in the security field because it will teach students how to write harmful software.

The university says the course will cover the legal, ethical, and security issues surrounding viruses and worms. But the course also will "focus on developing malicious software such as computer viruses, worms, and Trojan horses that are known to wreak havoc to the tune of billions of dollars worldwide on an annual basis," the university said in a statement.

"It's just absolutely stupid," says Russ Cooper, the surgeon general for the security firm TruSecure Corp. and moderator of security mailing list NTBugtraq. "You do not need to write malware in order to understand it. We already have more than 60,000 viruses to dissect and study."

A university spokesperson could not be reached for comment.

But in a statement released earlier this month, the university said: "Why would a university want to teach its students how to develop the dark side of technology? Dr. John Aycock, professor for this course, convinced the department to support his idea for offering a course in this area. He says that in order to develop more secure software, and countermeasures for malicious software, you first need to know how malicious software works and the mind-set of its creators."

However, two groups that represent computer security professionals issued a statement condemning the university's decision. "We call upon the University of Calgary to review its decision to include the instruction of programming of malware as part of its curriculum," said the Anti-Virus Information Exchange Network and the Anti-Virus Information & Early Warning System. "There are numerous ways to instruct students in the subject of malware without resorting to the creation of more viruses."

"If the course were teaching specific sets of techniques applied in writing and controlling reproduction as a technique in programming, I would be highly supportive of it," said Fred Cohen, a research professor at the University of New Haven who teaches a graduate class on viruses, in an E-mail to InformationWeek. "But writing viruses is a pretty trivial thing to do. My graduate class on viruses, which is running right now, includes writing two sample viruses to run in a special safe environment I have provided to the students. The goal in this case is to let them know just how simple virus writing is, how viruses really work, the sorts of damage they can do, and how to handle them safely, but not to provide the means to create dangerous viruses. That is why they are written in a safe environment."

Edward W. Felten, associate professor at the department of computer science at Princeton University, said via E-mail that he wouldn't teach a course in the same manner as the University of Calgary. "There is some merit to the argument that learning how to write malware--under very carefully controlled conditions--can help one to think more clearly about how to defend against malware," he said. "But I would not teach a course about malware that way."