 |
|
This discussion is closed. This is a transcript.
How to write computer virusesAuthor: Colloquy ModeratorDate: 01-08-04 14:00 The University of Calgary set off a controversy last fall by offering students in its computer-science program a course that teaches the ins and outs of writing computer viruses. Critics condemned the course for encouraging criminal activity and threatening to unleash viruses on the Internet, but officials at the Canadian university argued that students who are taught to analyze viruses are better equipped to prevent them. Can writing viruses be taught responsibly? If not, what other steps can colleges take to prepare their students for careers in this key area of computer security? Read more ... Re: How to write computer viruses Author: Patrick Jung Date: 01-13-04 11:33 When I was in the army, I remember receiving extensive demolition training (I was an infantryman, not an engineer). I remember in particular how I was taught to make a huge road-cratering bomb using simple fertilizer and diesel fuel. Except for my training, I never actually tried to make one, but another infantryman in the army about the same time as I was (i.e., Timothy Mc Veigh, although I did not know him and he was not at my duty station) learned the exact same thing and used his knowlege to kill more than 160 people. Yes, I think such a course has the potential to be dangerous, but the potential benefits, I believe, outweigh the dangers. Just as you can learn to make a bomb with fertilizer by poking around on the Internet, you can learn to make a virus the same way. Formal training in these areas is preferred, but certainly not necessary. The course at the University of Calgary could attract those with the intent to wreak havoc, but I think it is safe to assume that most students will be interested in using their knowledge for good rather than nefarious purposes. Given all the viruses that seem to be lurking in cyberspace, I think it is necessary to have experts who understand how they are made and how to "defuse" them. Hopefully, courses such as this will make the plague of computer viruses a thing of the past. That may be a bit utopian, but I tkink the potential benefits outweigh the potential dangers. Re: How to write computer viruses Author: George Fulda, Dir. Ed., IADT Date: 01-13-04 18:16 Writing a computer virus is a relatively simple process which most compotent programming students can accomplish after sufficient study. At our institution, we teach a Network Security class which exposes the techniques of hackers in order to prevent them. Like any security study, one must know how a crime is committed before it can be prevented. As educators, we must simply be sure to include ethical studies and perspectives along-side practical security experiences and preventions. I believe this computer virus class can be valuable to ensure their prevention. More unethical academics Author: Molly Mfume, Prof. Emertitus Date: 01-15-04 03:17 The stupidity of academics never ceases to amaze me. There seems to be no bounds to what some people can justify. So teaching students how to analyze viruses will prepare them to better deal with them. Let's apply this "logic" to some other areas. 1. Why don't we teach accounts about embezzlement? That way they will be prepared to apply it when they get to the corporate world. 2. Why don't we teach engineers how to design systems that don't work. That way they can falsify design reports when they get out into industry. 3. Why don't we teach medical students the finer points of medicare fraud? That way they will know the ins and outs of bilking the taxpayers out of money. It seems nowadays academics will go to no lengths to justify their positions, no matter how stupid, illogical or asinine the claim. Its time we had layoffs in academia... Re: More unethical academics Author: Daniel Golding Date: 01-16-04 09:49 Molly, We do teach those sorts of things. 1) We teach accountants a subject called Forensic Accounting. This is "all about embezzlement". Forensic Accountants are the people trying to untangle the Enron mess, for instance. 2) We do teach engineers about fault analysis and isolation - i.e. why things don't work. 3) We don't teach med students medicare fraud, but we do teach them "how to kill people" through "mobidity and mortality sessions", which detail how other doctors manage to kill their patients. Hackers will not take the time or expend the effort to go through a university course on hacking or on virus creation (these are two different things). But we do need to equip students to work at security related enterprises, such as the government, law enforcement, or antivirus companies. Maybe its time to have layoffs, but not because of this. Re: How to write computer viruses Author: Kanghu Hsu/CSU Dominguez Hills Date: 01-17-04 00:23 First of all, a class that teaches students only how to create computer viruses is incomplete. The background, history, development, resolution, and legal responsibility and punishment for harming business are all very important components. Besides, it is somewhat misguided to introduce a class in the university course catalog with these words: "Computer Virus and Malware teaches students to develop malicious software such as computer viruses, worms, and Trojan horses that are known to wreak havoc to the tune of billions of dollars worldwide on an annual basis." What makes this description questionable is that creating viruses is not one of the ultimate goals for a computer science class. I would expect university computer science departments to prepare students for professional careers with knowledge of software design, computer applications, and theoretical problem-solving capabilities. But the wording in course catalog is a different issue from the topic of whether we should teach students the knowledge of computer viruses in the first place. Universities should and must offer classes that address computer viruses for the following reasons. First, new computer viruses surface almost every day. Consequently, providing courses that explore the background, development, theory, and resolution for computer viruses is necessary; and such classes would be crucial to all computer users. Second, courses that cover computer viruses can help students to find jobs that require similar knowledge. Third, a class focused on computer viruses can help computer science majors build a foundation for the future development of knowledge in academia. Fourth, academic developments can promote related businesses. In this case, antivirus companies will benefit from the knowledge generated in the university. Therefore, I think that offering a class that embraces computer virus design and related topics is a good idea. Re: How to write computer viruses Author: Gene Spafford, Purdue CERIAS Date: 01-18-04 12:30 I have been teaching information security courses for over 15 years. Graduates of our program are considered to be among the tops in the world in information security, and we've turned out as many as 30% of the US PhDs in this area in the last few years. In all that time we have never taught how to write viruses or specifically how to use attack tools in a class -- it isn't needed, and it isn't appropriate. Protecting a system requires knowing a lot more than how to attack a specific flaw, especially as those specific flaws are fleeting. Computer viruses embody trivial concepts that are easily taught without explicit recreation. By analogy, our colleagues in civil engineering don't teach arson techniques to students so they learn to make fire-safe buildings, and our police academy doesn't have officers commit rape to learn to teach rape prevention. There is nothing special about computing that requires students to actually build viruses or attack tools as part of a regular class. A quality program, taught by a competent instructor, will focus on the underlying concepts and the defenses against them. Sending the message to students that it is okay to experiment with writing viruses to learn about them is the wrong thing to do, just as it is the wrong thing to send a message to chemistry students that it is okay to experiment with explosives, or to biology students to experiment with poisons. Not only does it send the wrong professional message, it endangers the community. Is academic coursework or research in viruses or attacks always wrong? No, of course not. In specialized circumstances, under extreme safeguards, some research is warranted....but not as a general course. Resorting to teaching how to write viruses is a failure -- of the instructor to teach infosec properly, of the students having appropriate background, or the program to attract sufficient enrollment without "gimmicks." Re: How to write computer viruses Author: Alo Kievalar - Unaffiliated Date: 02-04-04 13:36 Most of the arguments contra teaching virus writing are based on absurd analogies (You don't teach policemen how to prevent a crime by telling them to commit a crime...and so on). One could easily say: You don't teach a pathologist how to find evidence from a corpse by asking him to kill someone. No, but you sure do teach him the tricks of the trade by using real live (I mean, dead) corpses. Or: You don't teach a pilot how to fly a plane by asking him to actually fly one. Oh yes you do, or at least you'd better hope they do. In other words, the analogies I've used here and that appear in the letters so far are infantile. The field of computer science is now so vast that only certain students would ever need to know how to write viruses. You have to be adept at a programming "language" (preferrably PERL) to be able to write up a virus, but very few computer professionals are actual "programmers". What you really have to know is how to use a UNIX platform (although LINUX is sometimes preferred). At one time (at the beginning of the field) polymaths ruled the field.....that is, you knew everything there was to know (at that time) about computers. But this is no longer the case. No one can know every facet of the field any longer. The fact is, most computer viruses that are unleashed are now downloaded from certain sites (you have to be a hacker to know where these sites are). Most hackers are not programmers in even the broadest sense of the term. They simply get the culprits from the Internet. My point is, it's ok to "teach" about viruses in a college course ... but if someone is going to be "taught" how to do this, his "heart" isn't in it and he will never become an uberhacker, let alone a criminal. Re: How to write computer viruses Author: Geane Stevenson Date: 02-06-04 11:47 I am not a computer programmer or teacher. I am not a hacker. But I am concerned about how well my computer works and I am concerned about how "safe" my personal information on the web is. I have begun to use the online convience of paying my bills, ordering Christmas presents, and tracking my finances more and more frequently. As I become more dependent on these services it is more than a little scary to think that a hacker might get enough information to steal my identity. On the one hand I do not want hackers to learn to be better by going to school. On the other hand I do want to be protected. Security is an age old problem that changes with each new technology. It used to be safe-crackers. And if you wanted someone who was really good at it, that person usually turned out to be a thief turned "good" after being caught. As an outsider, my feeling is that we need to teach more ethics classes and fewer hacker classes. Let's teach students the difference between right and wrong and let them figure out the other stuff on their own. |
Copyright © 2004 by The Chronicle of Higher Education