Sunday, June 01, 2003

The argument over teaching computer virus and malware writing continues on the EFC's talk mailing list:

From: "John Jarvis"
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Saturday, May 31, 2003 7:18 PM

----- Original Message -----
From: "M Taylor"
Sent: Saturday, May 31, 2003 6:24 PM
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing

Dr. Brunnstein claims the teaching the writing of malicious software is unethical, not the teaching about malicious software, which is something he himself does.

Yes, I realize that and I don't agree with him. Graduates who do not know how to write malware will not be as effective at combatting it as those who do. It's a question of the level of knowledge we're equipping these students with, and raising that level, as a goal, is not unethical in my mind.

I tend to think that spending time writing malicious software may not be the best way to learn and understand.

But it may be. There's a world of difference between being able to speak to something and being able do it. Most people learn through application.

Just as most security professional do not write new exploits, and I do not think anyone would seriously argue that all security experts should publish new exploits into the public knowledge, especially while the vulnerability is not fixed in the target software. Even the full disclosure movement, such as some authors on the Bugtraq mailing list, has moved to the better security researchers giving reasonable lead times to affected vendors/authors before publishing the mere fact that a vulnerability exists. Fewer researchers publish actual exploits, and most are more concerned with reducing the threat of vulnerable systems.

So, what you're saying is, these graduates will only be good for writing exploits? Or they'll be more inclined than others? Who said anything about publishing exploits in the public domain? None of the course work leaves the lab.

Most security professionals are out there helping organizations defend themselves as best they can today. Of course those guys aren't writing the latest stuff. We need people looking ahead, developing the systems that will protect us from threats that are on the horizon. I don't know that these graduates will be any better at that than Dr. Brunnstein's graduates, but it's worth a try.

As for full disclosure vs. lead time, that's a tangent, and one that we certainly haven't figured out yet. There've been prominent cases of companies squandering reasonable lead times in inter-departmental blame wars.

Understanding malware is something the entire computing/IT community needs more of, but I am not certain that to get there we need more practicing (academic or otherwise) virus writers.

Yes, but should we shut the whole thing down because you aren't certain? This is a worthwhile experiment, in my mind.

I don't think Arson Investigators spend a lot of time setting fires, but do practice examining fires.

My point was that spin doctors *could* have a field day describing the courses, not that the association actually teaches that stuff.

No comments: