IT Employment

General discussion


Virus Composition 101

By maxwell edison ·
The following was reported in Information Week Magazine:

A new course this fall at the University of Calgary will teach students how to write viruses and worms, along with the legal, ethical, and security issues related to creating malicious code. Developing more secure software requires this firsthand understanding, professor John Aycock said in a statement. But two groups representing IT security professionals condemn it. Russ Cooper of the security firm TruSecure Corp. and moderator of security mailing list NTBugtraq says, "We already have more than 60,000 viruses to dissect and study."

-George V. Hulme (Internet Week)

Having been recently affected by one of those nasty little bugs, I tend to agree with Mr. Cooper. There is obviously enough knowledge out there already to write virus code, so why teach even more?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Moot point

by djent In reply to Virus Composition 101

If you are going to study code and procedures then creation is a short step away.

Collapse -


by Cactus Pete In reply to Virus Composition 101

Well, while I'm not against the idea of teaching people how to write virus code in order to help train them to recognize what it's attempting, or to write more secure legitimate software, I *do* think that a college course might not be the ideal location [or even time in life] to teach it.

Perhaps when a student has gone through many prerequisite courses on various languages, upper level software development, ethics, and a course in secure code... Maybe then it would be appropriate to hold acourse in how a virus is written... However, byt then it is certainly a senior-level course, and perhaps graduate-level. In which case, it would make sense that this be something intended for software professionals.

I would feel more secure [pun intended] if this were a course for corporate training, rather than a potential formal training of a script kiddie.

Collapse -

Short blurb

by Cactus Pete In reply to Yuck

Wow, I thought you perhaps only copied part of the article, but that's the whole story?

How disappointing. The article seems to knowingly [how couldn't the writer know]raise far more questions than the amount of information it provides. It smacks of journalistic sensationalsim - a peeve of mine.

I'd like to know what, if any, prerequisite courses are in line for the mentioned class. I'd like to know what the prof intends to do should one of the student's projects become wild. I'd like to know if the university consulted its lawyers about potential law suits against them should that code clog up the world's servers and cost billions in lost productivity [if nothing else].

Or might that just earn you an A for the term?

Collapse -

Yes it is

by maxwell edison In reply to Short blurb

It is only a short blurb, and I too checked for a longer and more detailed online version. And I had some of the same questions as you.

What if, for example, this professor teaches Johnny to write this malicious code - code which finds its way toa corporate computer - and causes millions of dollars in damage? I've never heard of schools being held lible for teaching, but.......?

Oh Canada!

Collapse -


by Cactus Pete In reply to Yes it is

How DOES one get graded? On theory by reading the uncompiled code? Or should you set up your own mininet and watch it go!! [Replete with stoopid users?]

Collapse -

Never enough information

by Cactus Pete In reply to Virus Composition 101

OK, so I checked the site at the school:

It stills tells you nothing of the particular course, though it's listed at the 500 level, and is considered a 'special topic'.

If anyone has more information on this, particular something first hand, I'm interested in seeing it.

Collapse -

A couple of views

by Oz_Media In reply to Virus Composition 101

A few thoughts, the first may be quite an ugly but realistic view.

1) generally, the people who write the best viruses are the best people to hire to analyze a new virus. I think this is why hackers and virus writers are always being hired by thetop security companies. I think this thought process would be the ONLY valid reason to teach such a course.

2) This is a way to teach the tech wannabes how to write malicious code. This is a dangerous road to take because if someone doesn't have the skills to obtain an IT job or was fired for incompetency or poor ethics, now the person will know how to get revenge at the industry, a specific company or end user.

If this type of course will be taught, it should be limited to EMPLOYED security professionals. They should be CAREFULLY screened and qualified with any code samples kept in a secured classroom environment. I know this sounds a little extreme but some code is so malicious that it must be seen as a threat similar to any contractable human virus, ie. smallpox, black plague etc. Although these diseases are life threatening, a company can also be destroyed, along with hundreds if not thousands of employee livliehoods over malicious code.

Collapse -

But it is Calgary

by Oz_Media In reply to A couple of views

I wouldn't worry too much, Calgary (although an absolutely gorgeous city)is full of people trying to create the best cowpie remover anyhow. Maybe when the chuckwagons are computerized it may be viable to send the odd virus to one in hopes of winning the Stampede, but I don't think it is too big of a market.

Collapse -

New designs and early prevention

by generalist In reply to Virus Composition 101

I could see where such a course could be useful for creating new virus designs in a controlled environment. If the course encourages synergistic thinking, it might be possible to invent a new family of virus that could then be sent to the antiviruscompanies for preventative measures.

Of course, it had better be a well controlled environment with background checks on the students and high level 'safe computing' measures in place. If there are any means by which a virus can escape the controlled environment, they need to be secured. This would include network connections to an outside network, ZIP drives, diskette drives, CD-R\RW, removable hard drives and other related items.

Ideally, such an environment should be in a locked roomthat is only opened when it can be watched. Securing it against IR, wireless and even an extra long network cable needs to be considered.

Call it paranoia. But considering how important computers are to tech society, paranoia regarding virus work should be at the same level as paranoia regarding biochemical work.

Collapse -

Educate to Prevent Virus Programs?

by TheChas In reply to Virus Composition 101

Max, I am glad that you started this thread.

I saw an article on the course myself, and was similarly appalled.

I wonder if professor Aycock is looking at his course the same way academia looked at the first generation of sex education programs.

Perhaps, he believes that if you teach programmers how to write virus code, you will take away the desire to write malicious code.

This makes almost as much sense as college courses in the philosophy of Homer Simpson.

At a minimum, Mr. Aycock needs a lessen in human nature.


Related Discussions

Related Forums