University offers spam and spyware writing course
February 08 2005
by Will Sturgeon
The virus writing class of 2006 now get to create their payload...
The controversial computer science department at the University of Calgary has once again kicked off heated debate in the security industry by offering students a course in writing spyware and the tools for sending and propagating spam.
The move follows the introduction of a widely-criticised virus writing course offered by the university in 2003.
However, the reaction to the latest addition to the syllabus has been more measured, with many in the security sector saying the right skills, taught in a controlled environment will prove a useful addition to their industry.
Steve Purdham, CEO of SurfControl, said he'd certainly look favourably upon any applicant who was a graduate of the course.
"If we're looking for an engineer to help us combat problems like spam then we'd rather have somebody who has already been taught about these things and who knows how they work."
Purdham says it does the students and the university a great disservice to assume they will abuse the knowledge rather than put it to good use.
"It's like teaching safe sex," he said. "Rather than hiding ourselves away from this stuff and mystifying it – which can actually make it more appealing – we need to understand the mechanics in order to protect ourselves.
Mark Murtagh, European technical director at Websense, said: "Any good security analyst will have used spyware and hacking tools like Trojans and keyloggers to keep them up to speed on the dangers out there. Knowledge is power, and the security space is like a game of chess - you need to be completely up to date on what's available to ensure you understand your opponents potential next move."
Murtagh said there are no guarantees that students won't be 'tempted by the dark side' but said if an individual really is intent on writing spyware or spam tools they don't have to go to the lengths of enrolling in University courses.
"This information is all freely available on the internet," said Murtagh.
But not everybody in the industry is in favour of the idea.
Pete Simpson, ThreatLab manager at Clearswift, expressed shock that the university has re-opened old wounds and criticised what he sees as the unnecessary risk of training students to use techniques which can jeopardise the safety of internet users.
"When the University of Calgary first caused controversy with the virus writing course, their dubious defence was that only by writing viral code could a student fully understand and be able to protect against real viruses, but I'm sorry, that argument really falls flat for spamming tools."
Clearswift's Simpson believes the saleability of spam tools may create too much of a financial temptation for hard-up students.
And unlike with viruses the covert nature of spyware and spam tools means it may be even more difficult to trace any abuse back to students at the university if they do stray.
The university threatens students with a fail and prosecution if they are involved in any irresponsible or criminal use of malicious code.
February 08 2005
by Will Sturgeon
The virus writing class of 2006 now get to create their payload...
The controversial computer science department at the University of Calgary has once again kicked off heated debate in the security industry by offering students a course in writing spyware and the tools for sending and propagating spam.
The move follows the introduction of a widely-criticised virus writing course offered by the university in 2003.
However, the reaction to the latest addition to the syllabus has been more measured, with many in the security sector saying the right skills, taught in a controlled environment will prove a useful addition to their industry.
Steve Purdham, CEO of SurfControl, said he'd certainly look favourably upon any applicant who was a graduate of the course.
"If we're looking for an engineer to help us combat problems like spam then we'd rather have somebody who has already been taught about these things and who knows how they work."
Purdham says it does the students and the university a great disservice to assume they will abuse the knowledge rather than put it to good use.
"It's like teaching safe sex," he said. "Rather than hiding ourselves away from this stuff and mystifying it – which can actually make it more appealing – we need to understand the mechanics in order to protect ourselves.
Mark Murtagh, European technical director at Websense, said: "Any good security analyst will have used spyware and hacking tools like Trojans and keyloggers to keep them up to speed on the dangers out there. Knowledge is power, and the security space is like a game of chess - you need to be completely up to date on what's available to ensure you understand your opponents potential next move."
Murtagh said there are no guarantees that students won't be 'tempted by the dark side' but said if an individual really is intent on writing spyware or spam tools they don't have to go to the lengths of enrolling in University courses.
"This information is all freely available on the internet," said Murtagh.
But not everybody in the industry is in favour of the idea.
Pete Simpson, ThreatLab manager at Clearswift, expressed shock that the university has re-opened old wounds and criticised what he sees as the unnecessary risk of training students to use techniques which can jeopardise the safety of internet users.
"When the University of Calgary first caused controversy with the virus writing course, their dubious defence was that only by writing viral code could a student fully understand and be able to protect against real viruses, but I'm sorry, that argument really falls flat for spamming tools."
Clearswift's Simpson believes the saleability of spam tools may create too much of a financial temptation for hard-up students.
And unlike with viruses the covert nature of spyware and spam tools means it may be even more difficult to trace any abuse back to students at the university if they do stray.
The university threatens students with a fail and prosecution if they are involved in any irresponsible or criminal use of malicious code.
I never could understand the backlash it generated.
Is this a bad thing, or a good thing?
Comment