February 8th, 2005, 08:45 PM
Spyware and Spam Courses at U of C
In late 2003 the University of Calgary announced their intentions to actually teach a course in virus writing (see earlier thread). It sparked a lot of controversy. The school's position was that the students would be better able to defend against malware and provide network security if they fully understood how a virus works. Many security experts argued that knowing how a virus works is not necessary to defend against it and that nothing good could come from such a course.
Fast-forward a year or so and the University of Calgary is at it again. They are expanding their malicious coding curriculum to include spam and spyware authoring. According to this article (University to Offer Email Spam Course) :
Of course, most security experts still vehemently deny the value of learning how to write malicious code in order to defend against it. This blog site in particular has a strong opinion against such a course: Media Lies Blog
"The idea is for the students to learn how these things propagate, how they are created, how they interact with the system and that sort of thing," says John Aycock, who teaches the viruses course.
"Then we turn around and say, OK, here are these things you've created; now we write the anti-software and figure out how to fight against them."
Thoughts or opinions from the cheap seats?
February 8th, 2005, 09:00 PM
Well...I sit on the fence on this. In past lives, as a professional civil servant, I DO NOT like the idea of people being taught how to write a virus without some sort of statement of intent on their part. I believe when this broke a year ago, there was a deal that the university was going to have students state or sign something to that affect...but I don't recall for sure. Regardless...I cringe, thinking of many of the 'computer geeks' I knew in H.S. and college taking a class like this. We are a broad and diverse group. We have shining stars and our 'Jack the Rippers'. So it frightens me.
On the other hand, being a believer in full-disclosure, I think it is important that these skills are acknowledged, taught, and shared. It's that much less that we have to do as IS professionals once the worm has already been unleashed. "Crap, this thing is written in Python? Now I have to go buy another O'reilly book!" hehe, ok, that's a bit out there, but that's the idea,right? Why SHOULDN'T professionals-to-be learn these things? SANS is one of the most renowned training groups in the world of security, and if you don't sign up for their "Hacker Techniques, Exploits & Incident Handling" classes months ahead of time, you won't get in. SANS offers this little tidbit regarding the Hands-On workshop for this class:
Do we boycot SANS because they teach people to 'hack'? Why should us Incident Response geeks have all the fun? The virus definition teams certainly need knowledge like this. Do we balk at degree programs in Subatomic Physics just because students will learn how a nuclear device could be constructed?
Paranoia is Good
During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 8th, 2005, 09:13 PM
I have no problem with this. Here's why:
Are you opposed to the FBI teaching agents how bank fraud works? How about bomb techs? Are you opposed to them knowing how to construct a bomb? Of course not. These skills are needed and essential to their trade. Knowledge is power, and if anything, you most certainly need to know how these things work in order to come up with creative ways to defend against them that you may otherwise would never have thought of.
Typically, those who are opposed to people learning about this stuff are the same people who A) Don't understand themselves B) Don't understand what it takes to defend against this new generation of threats. C) Don't want to feel inferior when a kid half their age can get one over on them the first day in the organization.
I say teach these kids every nitty gritty detail. I know that I would be much less effective in my efforts to defend if I myself did not sit on the other side of the fence (in a past life mind you). Much of what I learned (and is not readily taught) is applied daily. These are the same skills I use now to report new viruses/worms/trojans/malware, etc., how they work and what the payload contains to Symantec, various research groups and other big players.
OK, I'm gettin off my soapbox now.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden