Little did officials at the University of Calgary know that offering a computer science course that teaches students how to write viruses and worms would unleash a firestorm of criticism from security professionals.
The debate over the course has raised two important questions: Does a security professional need to know how to write malicious code in order to defend against it? And, is teaching students how to write worms, no matter the educational value, intrinsically wrong because it sends a bad message?
A perennial question in security is: Can someone who knows how to attack systems help to defend them? For example, do reformed black hat hackers have special skills that could help organizations defend against their former brethren? Talking about reformed hackers is a different issue, but it does hit upon similar issues.
Jamz Yaneza, senior antivirus consultant for Trend Micro Inc.'s TrendLabs, based in the Philippines, doesn't think one needs to know how to write worms in order to protect against them. "Programming [viruses] and reverse engineering are two different skill sets," he said. "A person is usually good at one or the other."
Does virus-writing course offer subtle value?
Moreover, experts like Yaneza don't see a lot of value in learning how to write viruses. In many ways, malicious code is not the best programming, and that's especially true of worms. "Mostly, they are rehashing other worms." Yaneza said.
The university reasons that, in order for students to protect against malicious code, they need to know how these programs are made. On a more subtle level, such a class could give kids insights into how worm writers think.
"I have to agree with the university folks on this one," said Peter Klipa, senior network engineer at Baltimore-based Manchester Technologies Inc. "Knowing what makes a good virus a good virus is very critical for today's security folks."
Robert Vibert, the administrator of the Anti-Virus Information Exchange Network (AVIEN), questions the educational value of such a course. "It's important to know how they work and what they do, not necessarily whether they should be written in C versus VB [Visual Basic]," he said.
Students can learn what viruses do by looking at systems that are infected under controlled circumstances. The actual effect on systems is much more important to learn than how to create the virus, Vibert said, noting AVIEN is willing to help the University of Calgary with teaching with such an approach.
Echoing those sentiments, Jack P. Kern, a network administrator based in Franklin, Tenn., said: "Their time would be better spent learning how to detect, block and remove them –- and repair their damage -- then to waste time building them."
"There are already plenty of 'good' virulent viruses for them to work with," he added.
For Vibert, the main problem with the virus-writing course is that it sends the wrong message to young people. Kids are taught that it's wrong to write viruses and worms under any circumstances. But the Calgary course seems to erode that message because it says "writing viruses can be a good thing," he said.
No matter the value, a course on virus writing at a public university is using taxpayers' money to teach how to make malicious code, Vibert said. One can definitely question whether this is a good use of government money. "What's next? Burglary 101?" he said.
Yet some question whether the information learned from virus writing should be demonized. "Remember, it's tradecraft that these folk are learning, not witchcraft. One must know his enemy in order to engage him in combat and successfully defeat him," Klipa said.
Learn about using VMware for malware analysis
Experts say today's malware analysis tools are falling short