Announcement

Collapse
No announcement yet.

A virus, spyware writing university course...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • A virus, spyware writing university course...



    University offers spam and spyware writing course
    February 08 2005
    by Will Sturgeon
    The virus writing class of 2006 now get to create their payload...

    The controversial computer science department at the University of Calgary has once again kicked off heated debate in the security industry by offering students a course in writing spyware and the tools for sending and propagating spam.

    The move follows the introduction of a widely-criticised virus writing course offered by the university in 2003.

    However, the reaction to the latest addition to the syllabus has been more measured, with many in the security sector saying the right skills, taught in a controlled environment will prove a useful addition to their industry.

    Steve Purdham, CEO of SurfControl, said he'd certainly look favourably upon any applicant who was a graduate of the course.

    "If we're looking for an engineer to help us combat problems like spam then we'd rather have somebody who has already been taught about these things and who knows how they work."

    Purdham says it does the students and the university a great disservice to assume they will abuse the knowledge rather than put it to good use.

    "It's like teaching safe sex," he said. "Rather than hiding ourselves away from this stuff and mystifying it – which can actually make it more appealing – we need to understand the mechanics in order to protect ourselves.

    Mark Murtagh, European technical director at Websense, said: "Any good security analyst will have used spyware and hacking tools like Trojans and keyloggers to keep them up to speed on the dangers out there. Knowledge is power, and the security space is like a game of chess - you need to be completely up to date on what's available to ensure you understand your opponents potential next move."

    Murtagh said there are no guarantees that students won't be 'tempted by the dark side' but said if an individual really is intent on writing spyware or spam tools they don't have to go to the lengths of enrolling in University courses.

    "This information is all freely available on the internet," said Murtagh.

    But not everybody in the industry is in favour of the idea.

    Pete Simpson, ThreatLab manager at Clearswift, expressed shock that the university has re-opened old wounds and criticised what he sees as the unnecessary risk of training students to use techniques which can jeopardise the safety of internet users.

    "When the University of Calgary first caused controversy with the virus writing course, their dubious defence was that only by writing viral code could a student fully understand and be able to protect against real viruses, but I'm sorry, that argument really falls flat for spamming tools."

    Clearswift's Simpson believes the saleability of spam tools may create too much of a financial temptation for hard-up students.

    And unlike with viruses the covert nature of spyware and spam tools means it may be even more difficult to trace any abuse back to students at the university if they do stray.

    The university threatens students with a fail and prosecution if they are involved in any irresponsible or criminal use of malicious code.
    I took the original course last term.

    I never could understand the backlash it generated.

    Is this a bad thing, or a good thing?
    15
    Yes
    40.00%
    6
    No
    53.33%
    8
    Banana and such
    6.67%
    1
    "The issue is there are still many people out there that use religion as a crutch for bigotry and hate. Like Ben."
    Ben Kenobi: "That means I'm doing something right. "

  • #2
    its a good thing - people can then fix all the bugs in everything microsoft, so they dont have to pay the price of having buggy software.
    "Everything for the State, nothing against the State, nothing outside the State" - Benito Mussolini

    Comment


    • #3
      I soo hope I can take a course like that in college

      Comment


      • #4
        I voted for bananna because people who make actual deadly viruses don't need no steenking edumacation. But who knows?
        I changed my signature

        Comment


        • #5
          Anti-viruses are actually small doses of the virus.

          Is that true in computerland?
          Monkey!!!

          Comment


          • #6
            It's a dual-edged sword. All education has the potential to be misused, and generally, the courses with the greatest abhorrance to ethics, tend to be the most abused.

            There needs to be a code of conduct for all the students, and a system in place such that any work they do can be traced back to them, while they are students at the university.
            Scouse Git (2) La Fayette Adam Smith Solomwi and Loinburger will not be forgotten.
            "Remember the night we broke the windows in this old house? This is what I wished for..."
            2015 APOLYTON FANTASY FOOTBALL CHAMPION!

            Comment


            • #7
              Short answer: yes.

              Long answer: This is always a problem with teaching computer security -- it seems like every security engineering book I've ever read has a preface saying "should this book even have been written?" or something along those lines. But as a matter of principle, security through obfuscation is a recipe for failure. Also, as a matter of practicality, you don't need to take a programming course to become a script kiddy.
              <p style="font-size:1024px">HTML is disabled in signatures </p>

              Comment


              • #8
                No.

                Teaching computer security is one thing, showing them how to write spyware and spam is entirely different.

                For example, you can talk about buffer overruns and how to avoid them. You can talk about why various modules must have clearly defined interfaces and responsibilities.

                Telling students how to takeover unprotected Wintel boxes and send spam from those is entirely not necessary.
                (\__/) 07/07/1937 - Never forget
                (='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
                (")_(") "Starting the fire from within."

                Comment


                • #9
                  Telling students how to takeover unprotected Wintel boxes and send spam from those is entirely not necessary.
                  That's not what the course does.

                  The course teaches you how to identify those kind of exploits yourself. Either by looking at the source code (in the case of open source projects), or by looking and playing with a binary.

                  It's not a course on how to be a script kiddy or use known vulnerabilities, it's a course on how to identify new vulnerabilities and use them.

                  Which is extremely valuable, IMO, to learning how to make your own code bulletproof.

                  FWIW, UR, the course and its programs and hacking and virus writing is done on Linux and Solaris, not Windows.

                  I also disagree that teaching "computer security" is enough. The sad fact is many people today don't understand the difference between smashing the stack and heap vulnerabilities -- yourself included.
                  "The issue is there are still many people out there that use religion as a crutch for bigotry and hate. Like Ben."
                  Ben Kenobi: "That means I'm doing something right. "

                  Comment


                  • #10
                    Originally posted by Asher
                    FWIW, UR, the course and its programs and hacking and virus writing is done on Linux and Solaris, not Windows.
                    That's at least 1000 times harder than writing viruses for Windows. I reckon all the students will fail if they are required to write a working sample.

                    Originally posted by Asher
                    The sad fact is many people today don't understand the difference between smashing the stack and heap vulnerabilities -- yourself included.
                    The heap is not executed. I thought you knew that?
                    (\__/) 07/07/1937 - Never forget
                    (='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
                    (")_(") "Starting the fire from within."

                    Comment


                    • #11
                      Originally posted by Urban Ranger
                      That's at least 1000 times harder than writing viruses for Windows. I reckon all the students will fail if they are required to write a working sample.
                      Oh yeah, there are never any Linux software vulnerabilities.

                      The heap is not executed. I thought you knew that?

                      That's not what a heap vulnerability is.
                      "The issue is there are still many people out there that use religion as a crutch for bigotry and hate. Like Ben."
                      Ben Kenobi: "That means I'm doing something right. "

                      Comment


                      • #12
                        I think the important question is whether or not it should be an undergrad course.

                        SP
                        I got the Jete from C.C. Sabathia. : Jon Miller

                        Comment


                        • #13
                          Originally posted by Asher
                          Oh yeah, there are never any Linux software vulnerabilities.
                          I see that you did not answer my question.

                          Originally posted by Asher

                          That's not what a heap vulnerability is.


                          You probably don't even know what the heap is.
                          (\__/) 07/07/1937 - Never forget
                          (='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
                          (")_(") "Starting the fire from within."

                          Comment


                          • #14
                            Yes, it's good, as long as students are also properly explained that setting viruses loose is not a good idea. It will give better insight in that part of coding... and let's face it, anyone who is a programmer does anyway have enough knowledge to write a virus. Yes, it might be misused potentially, but a greater awareness of how viruses work will only help.
                            Solver, WePlayCiv Co-Administrator
                            Contact: solver-at-weplayciv-dot-com
                            I can kill you whenever I please... but not today. - The Cigarette Smoking Man

                            Comment


                            • #15
                              Originally posted by Solver
                              Yes, it's good, as long as students are also properly explained that setting viruses loose is not a good idea. It will give better insight in that part of coding... and let's face it, anyone who is a programmer does anyway have enough knowledge to write a virus.
                              Before the advent of Windows, particularly ActiveX, viruses were hard to write, even on MS-DOS.

                              Originally posted by Solver
                              Yes, it might be misused potentially, but a greater awareness of how viruses work will only help.
                              I maintain a general knowledge of how viruses spread is sufficient at this point.
                              (\__/) 07/07/1937 - Never forget
                              (='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
                              (")_(") "Starting the fire from within."

                              Comment

                              Working...
                              X