The University of Calgary announcement of a course that teaches virus-writing has sparked controversy around the world. Sophos' Graham Clueley condemned the course as irresponsible, Rob Rosenberger ridiculed the idea, Robert Vibert expressed his concern and AVIEN organised a public letter. Security News This Week sentenced Sophos to the Dog-House for their remarks and Jan Hruska made clear the potential student's job prospects with his company.
Our Chief Consultant, Allan Dyer gives his opinion:
I met a similar situation: a few years ago a Hong Kong University was preparing a "continuing education" course on information security and I was invited to give the module on viruses and worms. The course organisers listed what they considered suitable content, including writing viruses. At that time, I was already very aware that the anti-virus industry strongly condemned any involvement with writing viruses but I made my own assessment and came to the same conclusion. I decided to refuse to include that activity, and the course organiser acquiesced. Instead, I asked the students to write anti-virus software.
What a lost opportunity! If I had included that I could, today, be refuting the University of Calgary's claims that it, "explores new territory" with a course that is "unique". I do not regret the loss.
There is obviously a large difference between the ethical standards of many people in the anti-virus industry and Dr. John Aycock which I suspect stems from many security experts attempting to classify viruses and worms as just another vulnerability when there are crucial differences.
Computer Virus Basics
Everything I explain here has been said or written before by other, more distinguished writers (see Dr. Cohen, A Short Course on Computer Viruses), but it appears that not everyone was listening. A virus or worm, of course, is just another program, and it can do anything another program can do. The only difference is that it makes copies of itself. This leads to three properties: Generality, Range of Effect and Persistence. A virus can be created for any general-purpose programming environment. A virus can spread outside of the control of its creator. A virus can persist and cause a new outbreak an indeterminate time in the future.
Practical Considerations
In practical terms, the Lecturer asks a class of, say 30, students to create their viruses. At the end of class, there are 30 new viruses in the classroom. What does the Lecturer do to prevent them escaping? He could ask the students to destroy them - what if one copy is missed, or a student secretly saves it? The virus can start to spread around the world, and virus-specific scanners will not be able to recognise it. So the Lecturer should collect copies of the 30 viruses, and send them to the anti-virus developers. The viruses are then added to the glut of new viruses that products must detect, making them (slightly) slower. Each time the course is run virus glut gets worse.
Educational Benefits
A little thought will show that creating a program that copies itself is not a difficult problem, any competent programmer should be capable of doing it. What then is the learning benefit of actually performing such a simple task, and how does that benefit outweigh the risks associated with the new virus escaping?
What if the students were asked to create a "good" virus? Dr. Bontchev has adequately shown that there is no such thing as a good virus. Because of their properties of range of effect and persistence, they can reach environments that the author was unaware of, or that were not even created when the virus was written, with unpredictable consequences.
But Dr. Aycock says that in order to develop more secure software, and countermeasures for malicious software, you first need to know how malicious software works and the mindset of its creators. So how can students learn to create secure software? They can use the techniques without creating self-replicating code! The payload of a virus can always be studied independently - it is just another program. The infection techniques can be studied using programs that create or modify other programs, without copying themselves. However, more useful skills for a malware researcher are in reverse engineering - if you are presented with an unknown program, how do you quickly and accurately figure out what it does and how much of a threat it presents?
Medical Ethics
The course blurb also says, "This attitude is similar to what medical researchers do to combat the latest biological viruses such as SARS." But medical researchers normally put safety as the number one priority. One of the questions that needed to be urgently answered for SARS was whether it was airborne or droplet-borne, but, as far as I know, no-one suggested the simple, obvious and accurate test of placing human subjects in rooms with appropriate sources, and waiting to see who got infected.
The DogHouse
I feel that Security News This Week's sentencing of Sophos to the DogHouse for their article is entirely unjustified. Their comments about the work are entirely consistent with the information on the course description page - it clearly states, "it will focus on developing malicious software such as computer viruses, worms", and it is this highly unethical practice Graham attacks. Additionally, the University of Calgary says the course "will help prepare them for careers dealing with computer security", so it is entirely appropriate for Sophos' CEO, Dr. Hruska, to warn potential students, "Don't bother applying for a job at Sophos if you have written viruses because you will be turned away," - Sophos is a leader in the field that the University thinks it is preparing its students for.
Dr Aycock, self-proclaimed not-Author of Yoga for Buffaloes, obviously has a sense of humour. I just hope that this course announcement is another joke.
