First published: 30th June 2007
Four years ago, the University of Calgary announced a course including virus writing, and the anti-virus community, including this newsletter criticised it as a bad idea. Professor George Ledin at Sonoma State Universuty has recently started a similar course.
Our Chief Consultant, Allan Dyer, comments:
It appears that Professor Ledin has thought carefully about this, in a 2005 column in "Inside Risks" he wrote, "Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own". The only part I disagree with is the, critical, last phrase, "and program their own". Self-replicating code is inherently more dangerous, and instructing students to write it has minor educational value, but very high risks. What should be taught, and what would make graduates highly sought-after by anti-virus companies, is reverse-engineering skills. Any idiot can write self-replicating code (just take a look at the virus writers that have been caught), taking apart a convoluted, obfuscated, badly-written program and correctly determining what it does and whether it is a threat is a much harder skill.