I sent the following message to Electronic Frontier Canada's talk mailing list in response to an attack on the new computer virus and malware writing course to be offered at the University of Calgary:

From: "John Jarvis"
To: efc-talk@efc.ca
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Saturday, May 31, 2003 5:41 PM

I think it's important to challenge the axioms of IT security, and I was intrigued by Dr. Aycock's ideas. Setting aside his SARS analogy, I agree with him on the game of catch-up that security professionals are playing today. By blanketing most of the proposal as unethical, I feel that Mr. Brunnstein is doing it a disservice.

Yes, the idea of "thinking like an attacker" doesn't leave me with a warm feeling (both as an IT security professional and a connected citizen), but I didn't have a problem with it, given the context of the Web page, whenever I first read it. What students take away from that course will depend upon the professor, just like any other course. Knowing how to write malware *does* give you a weapon, just like knowing how to set fires well gives you a weapon. I'll bet the International Association of Arson Investigators, Inc. could make some of their course descriptions look pretty menacing too. In both cases, you *choose* what to do with that knowledge.

People appreciate knowledgeable and trustworthy professionals informing them about flaws in their home security system, regardless of whether that professional learned his or her trade in the classroom or first hand.

I'm not saying we shouldn't be concerned about teaching this sort of material; on the contrary, I think the course should be heavily audited to get some *informed* discussion going amongst academics and security professionals alike. All the absolutes thrown around in Mr. Brunnstein's message truly struck me as fear mongering.

John L. Jarvis, BCS

----- Original Message -----
The original message was forwarded verbatim from The Risks Digest Volume 22: Issue 75.