Saturday, May 31, 2003

The argument over teaching computer virus and malware writing continues on the EFC's talk mailing list:

From: "John Jarvis"
To: efc-talk@efc.ca
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Saturday, May 31, 2003 7:18 PM

----- Original Message -----
From: "M Taylor"
To: efc-talk@efc.ca
Sent: Saturday, May 31, 2003 6:24 PM
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing

Dr. Brunnstein claims the teaching the writing of malicious software is unethical, not the teaching about malicious software, which is something he himself does.


Yes, I realize that and I don't agree with him. Graduates who do not know how to write malware will not be as effective at combatting it as those who do. It's a question of the level of knowledge we're equipping these students with, and raising that level, as a goal, is not unethical in my mind.

I tend to think that spending time writing malicious software may not be the best way to learn and understand.

But it may be. There's a world of difference between being able to speak to something and being able do it. Most people learn through application.

Just as most security professional do not write new exploits, and I do not think anyone would seriously argue that all security experts should publish new exploits into the public knowledge, especially while the vulnerability is not fixed in the target software. Even the full disclosure movement, such as some authors on the Bugtraq mailing list, has moved to the better security researchers giving reasonable lead times to affected vendors/authors before publishing the mere fact that a vulnerability exists. Fewer researchers publish actual exploits, and most are more concerned with reducing the threat of vulnerable systems.

So, what you're saying is, these graduates will only be good for writing exploits? Or they'll be more inclined than others? Who said anything about publishing exploits in the public domain? None of the course work leaves the lab.

Most security professionals are out there helping organizations defend themselves as best they can today. Of course those guys aren't writing the latest stuff. We need people looking ahead, developing the systems that will protect us from threats that are on the horizon. I don't know that these graduates will be any better at that than Dr. Brunnstein's graduates, but it's worth a try.

As for full disclosure vs. lead time, that's a tangent, and one that we certainly haven't figured out yet. There've been prominent cases of companies squandering reasonable lead times in inter-departmental blame wars.

Understanding malware is something the entire computing/IT community needs more of, but I am not certain that to get there we need more practicing (academic or otherwise) virus writers.

Yes, but should we shut the whole thing down because you aren't certain? This is a worthwhile experiment, in my mind.

I don't think Arson Investigators spend a lot of time setting fires, but do practice examining fires.

My point was that spin doctors *could* have a field day describing the courses, not that the association actually teaches that stuff.
I'm glad the University of Calgary isn't backing down on its decision to teach computer virus and malware writing. I particularly liked this quote from the statement they issued, defending their decision:
Is there another way to teach about stopping viruses without providing adequate knowledge so that the students could write a virus? The answer is simple: No. Anyone who claims they can fight a virus but could not write one is either uninformed or trying to mislead for other reasons.

And then there are the naysayers (from an InformationWeek article on the statement):
"That is utterly ridiculous," says Pete Lindstrom, research director for Spire Security. "There are plenty of ways to gain the same level of knowledge other than the destructive knowledge of having students create new viruses. We don't teach sex education by having students have sex in class."

I'll tell you what's utterly ridiculous: comparing malware to sexual intercourse. Any couple, and I do mean any couple, can have sex. Understanding malware well enough to design defenses against it? Not so much. Sex education protects our kids; we're pretty sure they've figured out most of the act by the time they're sitting in the class. If I complete that analogy, we're talking about a course that teaches students the dangers of executable e-mail attachments. :-/ I'm sorry, we're expecting a whole lot more from these graduates.
I sent the following message to Electronic Frontier Canada's talk mailing list in response to an attack on the new computer virus and malware writing course to be offered at the University of Calgary:

From: "John Jarvis"
To: efc-talk@efc.ca
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Saturday, May 31, 2003 5:41 PM

I think it's important to challenge the axioms of IT security, and I was intrigued by Dr. Aycock's ideas. Setting aside his SARS analogy, I agree with him on the game of catch-up that security professionals are playing today. By blanketing most of the proposal as unethical, I feel that Mr. Brunnstein is doing it a disservice.

Yes, the idea of "thinking like an attacker" doesn't leave me with a warm feeling (both as an IT security professional and a connected citizen), but I didn't have a problem with it, given the context of the Web page, whenever I first read it. What students take away from that course will depend upon the professor, just like any other course. Knowing how to write malware *does* give you a weapon, just like knowing how to set fires well gives you a weapon. I'll bet the International Association of Arson Investigators, Inc. could make some of their course descriptions look pretty menacing too. In both cases, you *choose* what to do with that knowledge.

People appreciate knowledgeable and trustworthy professionals informing them about flaws in their home security system, regardless of whether that professional learned his or her trade in the classroom or first hand.

I'm not saying we shouldn't be concerned about teaching this sort of material; on the contrary, I think the course should be heavily audited to get some *informed* discussion going amongst academics and security professionals alike. All the absolutes thrown around in Mr. Brunnstein's message truly struck me as fear mongering.

John L. Jarvis, BCS

----- Original Message -----
The original message was forwarded verbatim from The Risks Digest Volume 22: Issue 75.

Saturday, May 24, 2003

The Ottawa Senators did their city proud

It doesn’t get much better than Game 7 in the Eastern Conference final, especially for a city that hasn’t seen the third round of the Stanley Cup playoffs since 1927. I’d been to about half a dozen Senators games prior to last night, but nothing could prepare me for the Corel Centre at playoff time. Well, I’m getting ahead of myself here, so I’ll back up a few days.

Watching Games 5 and 6 was some of the most emotionally-draining hours I’ve had in years. It takes me back to the 25413 overtime games MontrĂ©al had to play to win the Cup in 1993 (but I was younger then; my heart could take it, and kids never really think their team is going to lose anyway). With the headline, “Looking for a miracle,” flying through my head, I watched the Senators stay alive on Monday night, and Bob Cole couldn’t have said it any better: “If you’re a hockey fan, you gotta be having the shivers right now. This guy’s just a kid, folks.” Spezza scored a beautiful goal and assisted on the game winner.

Then it was off to New Jersey. I’ll be honest: I didn’t watch Games 3 or 4, and I was intimidated by look of their ice on Wednesday night; it just looked bigger, international even. And then there was the Devils' record! How could we compete with that?

After hitting the goal post and the crossbar in the third period, Alfredsson’s post in overtime almost killed me. I mean, it was hard enough watching that second period, after what Grapes called a “no contest” first period, but now Lady Luck had abandoned them too? When Phillips put it in the net, I couldn’t believe my eyes. Brodeur and I had the same thought, looking to the referee, expecting (hoping, in Brodeur’s case, I'm sure) that it wouldn’t count. And how about the look on the guys’ faces; that’s what the game’s all about, a big pile of ecstatic guys, alive for another day. They did us proud that night; no one can take that away from them.

So it was back to Ottawa for Game 7 last night. My wife surprised the hell out of me by getting us tickets (before Game 6, making that victory all the more exciting), so I could barely sit still yesterday. I picked at my supper in the pub, and the shuttle ride out to the Corel Centre was filled with much thigh pounding, spontaneous laughter and fist pumping. My wife loved it, of course. She knew I'd be happy to be going, but this enthusiasm was a pleasant surprise.

“Is this better than the Tool shows?” she asked.

“Better than the Ottawa show by far, but the Toronto show was my first one, so no, it was a bit better than this.”

Then we were driving past the Kanata sign, and there were a bunch of kids hanging out, waving Senators flags. What a moment! That’s what hockey’s all about: Dreams.

The Corel Centre was an island in a sea of people. There were tents out front, jugglers, television crews, police in fancy mobile homes, tens of thousands of people in Senators garb, and us. When we came out on the 300 level, I had to stop; I'd never seen the place packed (and packed it was; 18500 in attendance, I found out later). We went up to our seats and got our towels – I’d forgotten about the towels, so that put an even bigger grin on my face.

I was so mesmerized by the view that I didn’t even notice my wife spitting on my face. Some coworkers that we met there had coloured pencils (like you’d see at Halloween), and apparently they work better on wet skin. In no time, our faces were screaming, “Go Sens go!” along with our throats.

The anthems were incredible. I get goose bumps just listening to them at home. Here, in the middle of it all, I was singing my lungs out, and waving my towel around ‘til my shoulder ached. That, combined with Arvedson’s goal in the first few minutes, did my voice in. When Magnus scored, I yelled and yelled. I barely paused for breath. My wife said I looked like a baby being born. Well, what can I say? I was excited. A few minutes later, I was trying to tell the woman sitting next to me that it was Spezza who just got hit with a high stick, but only wheezing honks came out.

Unfortunately, the rest of the period and much of the next saw the Senators sitting back. I wasn’t really sure they wanted it. But before the second period was out, they started coming on again, and they tied it up early in the third. I don’t need to tell you how it ended, but as the last regulation minutes in the series were ticking away, you knew it had to end like that for one of these two teams; they were so evenly matched.

I really had a great time. I mean, I missed a lot of face-offs, and it was hard to take in all the play when the cameraman’s eye wasn’t directing me, but sitting at home couldn't hold a candle to the throbbing cheers and tens of thousands of whirling towels when the Senators scored.

They played a great game, and they had a great run at the Cup. As one of the ushers said to me as we were leaving, “[I'll] save it for next year.”

John L. Jarvis is a writer working out of Ottawa. He can be reached at john_l_jarvis@hotmail.com.