By Вen Li
A new computer science course at the U of C drew international headlines this week, and international condemnation.
The course, entitled “Computer Viruses and Malware,” will focus on “developing malicious software such as computer viruses, worms and Trojan horses,” according to the university, and will be taught by Dr. John Aycock.
Computer security experts have stated that teaching students how to write malicious software–malware–is unnecessary.
“Should we teach kids how to break into cars if they’re interested in becoming a policeman one day?” said senior technology consultant for Sophos Anti-Virus Graham Cluley in a statement.
Dr. Ken Barker, Head of the Department of Computer Science, explains that students will not be creating virus de novo, but will examine viruses already in the wild.
“That’s exactly the kind of misinformation that concerns us,” he said. “Nobody here says that we will create new viruses. Some media have reported that students will create new viruses, that is not correct. They’re recreating viruses, not creating new viruses.”
Aycock has previously stated that in order to develop more secure software and countermeasures against malware, software developers must first understand how the malware works.
“It’s a case of being proactive rather than reactive,” stated the U of C’s May 15 press release. “This attitude is similar to what medical researchers do to combat the latest biological viruses such as SARS. Before you can develop a cure, you have to understand what the virus is and how it spreads–why should combating computer viruses be any different?”
Cluley disagrees.
“It is simply not necessary to write new viruses to understand how they work and how they can be prevented,” Cluley said, in reference to the U of C’s comparison of malware research to SARS research. “Instead [biologists] do what we do: careful examination of new threats and a thorough understanding and analysis of the many threats which already exist. Creating new viruses is of no benefit at all, but could lead to greater danger.”
Barker asserts that the course presents no additional risk of students unleashing new viruses.
“They can do it now anyway,” he said. “If their goal is to be able to wreak havoc on computers, they’re not going to invest three years at a university before doing so.”
Cluley was also concerned with possible legal implications with the course.
“One wonders if the university will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users,” he said.
U of C Vice-President External Relations Roman Cooney stated that the university would not be responsible.
“Any reasonably bright individual can get on the Internet all the information they need to create malware,” he said. “Anybody can do this. Why would we be held liable?”
“We have taken measures to prevent students from using information to create viruses,” added Barker. “This is a fourth-year course, and it’s a closed system, so there’s no way the work they’re doing can enter into another person’s computer.”
Dan Seneker, speaking for the Faculty of Science, stated that teaching students about malicious software now helps them to write software to defend against malware in the future.
“It’s just an extension of what the U of C is doing already, with the e-security course from Continuing Education and applied cryptography in the [Department of] Mathematics,” said Seneker, who added that the virus-writing component of the course is just one assignment worth 20 to mit”er cent of students’ grade.
Dr. Jan Hruska, CEO of Sophos, disagrees. On Wed., May 28, he issued a statement with language Senekar characterized as “strong,” warning students to avoid the malware course.
“Don’t bother applying for a job at Sophos if you have written viruses because you will be turned away,” said Hruska. “You are of no use to us. The skills required to write good anti-virus software are far removed from those needed to write a virus.”
Cooney disagreed.
“If Sophos doesn’t think the best people they can hire are the people who understand how these guys think and work, our students should be going elsewhere,” he said. “They should work for a company that would value their education and training.”
Barker questioned Sophos’ intentions in criticizing the university’s new offering.
“They’re the third-largest antivirus company in North America, and arguably the second largest in Europe. Are they afraid of something? Competition?” asked Barker.
But Hruska’s comments echoed those of the Anti-Virus Information Exchange Network, an organization claiming to represent the majority of anti-virus software developers, security professionals from industry and other educational institutions. Their statement, endorsed by members on Mon., May 26, read in part:
“We call upon the University of Calgary to review its decision to include the instruction of programming of malware as part of its curriculum. There are numerous ways to instruct students in the subject of malware without resorting to the creation of more viruses.
“The creation of new viruses and other types of malware is completely unnecessary. Medical doctors do not create new viruses to understand how existing viruses function and neither do anti-virus professionals. It is simply not necessary to write new viruses to understand how they work and how they can be prevented. There are also enough viruses on the Internet already that can be dissected and analyzed without creating new threats.”
The AVIEN statement also offered to help the U of C develop the course and suggested that the university focus on tools and techniques to study malware, including viruses that already exist, teach students to defend and mitigate damage caused by malware, and study virus hoaxes, chain letters, and frauds.
“We’re willing to work with all of these companies on this, Sophos has not done anything to help us on it,” said Barker.
Seneker said that the U of C will seek input from law enforcement, philosophers, lawyers and the anti-virus community before the curriculum is finalized for fall 2003. He added that this type of course is available elsewhere.
“Others like Portland State University and [University of] New Haven in Connecticut offer courses on viruses and malware,” he said. “Ours differs in that we offer it at the undergraduate level.”
According to Seneker, the Department of Computer Science has received media calls from the Globe and Mail, the New York Times, and the Reuters news agency. Articles on the subject have been published in Africa, Asia and South America.