Monday, June 02, 2003

Is it unethical to teach students how to write computer viruses? Part 3 of this saga follows:

From: "John Jarvis"
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Monday, June 02, 2003 12:04 AM

----- Original Message -----
From: "M Taylor"
Sent: Sunday, June 01, 2003 1:37 PM
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing

Prove it. Explain how a student (of Dr. Brunnstein's) who has not written a malicious piece software is less equipped to deal with new security threats than the student who wrote a file virus or macro virus (in Dr. Aycock's class).

Obviously I can't prove that. All other education and experience being equal, Dr. Aycock's graduates will have one extra tool in their belts. Will that advantage amount to anything? I don't know, but I don't think it's unethical to teach it.

Explain how having written some malware will help any professional deal with unknown malware in the wild. I argue that having had additional time to study reverse engineering of unknown code/executables is far most useful to deal with new threats in the wild.

And I would agree that reverse engineering capabilities would be invaluable to these students; why is it a question of one or the other? Again, it's just one more option available to the student. You're inundated with information at university, most of which has little direct correlation to your future profession. However, on occasion you surprise yourself with an indirect application, something only clear in hindsight. One of Dr. Aycock's graduates may have one of those moments down the road, but I'm certainly not going to sit here and tell you I can map that connection.

There are basiclly about 20 categories of security vulnerabilities, the bulk of which were known about in the 1970's, and virtually all by 1990. I believe viruses and malware have around 10 attack vectors, the majority of which were written about by Fred Cohen in 1983-86. As a senior undergrad level course I do not expect a lot of novel research to done within this course.

I'll be the first to admit that I've been surprised by how much ground we're rediscovering in this field; however, I find your expectations very presumptuous.

Rehashing of old well-understood malicious software by writing their own implementation does not look towards the horizon, it will be a excerise in programming, possibly even at the scipting / macro language level (e.g. VB, VB for Apps).

I don't believe that this course will "rehash" anything. That's exactly what university courses avoid by teaching theory; it's up to the student to apply it to the state of the art. They may indeed use dated examples or assignments (that's to be seen), but to drive home concepts, not to teach them to write Uber-nimda.

I spend far too much of my professional and personal time fixing "experiments in software", and I do not see a good risk/reward benefit from such an unproven method of teaching that warrents a possibly reckless course of action.

I don't doubt your experience, but it seems that the UoC does see the benefit. How could they go about proving it to your satisfaction? Is it the lab safeguards that you're concerned about, or would nothing short of eras[ing] the student's brains at the end of the course satisfy you?

No comments: