Class on Virus Creation Draws Industry Ire
When the University of Calgary announced plans this week to offer a
course that includes instruction on writing
"It legitimizes the creation of destructive code and provides
justification for virus writers to do their work," says Robert Vibert,
administrator of the Antivirus Information and Early Warning System and the
Antivirus Information Exchange Network. Both organizations help antivirus
researchers and virus fighters share information about
"You can quote me on this," he says. "Please don't do this, please don't teach people to write viruses."
Despite the industry's negative reaction, university officials insist the class will help develop the next generation of computer-security specialists, not rogue virus writers.
"The course is about understanding viruses adequately in order to stop them from happening," says Dr. Ken Barker, chair of the Department of Computer Sciences at the university. "We want to create the next antivirus professional who can be proactive at anticipating the next kind of virus software, the next innovators in antivirus."
Class participants would write their code in a secured computer lab, so the viruses would not reach the Internet, Barker says. And students would not create new viruses; instead they would recode existing ones. Finally, the virus writing would be only one part of a larger computer-security program that includes discussions of computer ethics and legal issues.
But representatives of antivirus software companies rejected the idea that teaching students to work on viruses would benefit anyone.
"There's no value teaching people to write viruses. They are extremely simple," says David Perry, global director of education at Trend Micro. "Looking at the 10- or 12-line replication routine once tells you all you need to know about [a virus]. That's why they're being written by 15-year-old kids."
Besides, says Ian Hameroff, security strategist at Computer Associates, there are already legitimate antivirus labs in place--and they don't teach students how to make viruses.
"The University of Hamburg has a trusted laboratory that contributes a lot to antivirus, but they're not creating viruses out there," he says "We as computer users don't want to make the unorganized availability of this information on the Web organized as a course and formalized in a university offering without having the right protections in place."
Beyond the possibility of a new virus finding its way into the real world, there's the chance that not every student would sign up for the course for the right reasons, say some opponents.
"How do they know the people who come into their course will not come out and start writing viruses?" says Vincent Gulotto, vice president of AVERT for Network Associates. "How can we, as an Internet community, be assured that [the knowledge] offered in their course wouldn't be used against us some time later?"
"It's like teaching someone to steal cars so we can design better antitheft systems in the future," he says.
Calgary's Barker says people are missing the point, and notes that most computer-science graduates today already have the technical knowledge to create a virus.
"Any of the kids that have gone through four years of university can download a 'script kiddie' script and write a virus themselves," Barker says. "These things exist out there now."
"We're not creating a bunch of people who will go out and create viruses, at least that's not my intention," he says. "These aren't hackers sitting around in the middle of the night looking to damage computers."
While the goal of the course is to prepare computer science students for work in the security and antivirus industry, executives in those industries say students who take the class may be shooting themselves in the foot.
"I have 35 researchers that didn't take any courses writing viruses," AVERT's Gulotto says. "If these students had this course on their resume, I wouldn't hire them because, among other reasons, it might perpetuate the myth that antivirus companies write the viruses we're paid to eradicate."
Other vendors echo those comments. "We will not hire anybody with a known history of virus writing," says Chris Belthoff, Senior Security Analyst for Sophos.
Sophos has long held such a policy, but Belthoff says it "wasn't as well enunciated" before. "It wasn't something you paraded around, because there wasn't this [potential] pool of virus writers."
Trend Micro's Perry says his company will be equally clear about their position. "We don't hire computer-virus writers in the industry at all. If we find out they wrote viruses, they're out the door. We tell them, 'get out, we don't want you.'"