By Will Sturgeon, 8 February 2005 17:55
NEWS The controversial computer science department at the University of Calgary has once again kicked off heated debate in the security industry by offering students a course in writing spyware and the tools for sending and propagating spam.
The move follows the introduction of a widely-criticised virus writing course offered by the university in 2003.
However, the reaction to the latest addition to the syllabus has been more measured, with many in the security sector saying the right skills, taught in a controlled environment will prove a useful addition to their industry.
Steve Purdham, CEO of SurfControl, said he'd certainly look favourably upon any applicant who was a graduate of the course.
"If we're looking for an engineer to help us combat problems like spam then we'd rather have somebody who has already been taught about these things and who knows how they work."
Purdham says it does the students and the university a great disservice to assume they will abuse the knowledge rather than put it to good use.
"It's like teaching safe sex," he said. "Rather than hiding ourselves away from this stuff and mystifying it which can actually make it more appealing we need to understand the mechanics in order to protect ourselves.
Mark Murtagh, European technical director at Websense, said: "Any good security analyst will have used spyware and hacking tools like Trojans and keyloggers to keep them up to speed on the dangers out there. Knowledge is power, and the security space is like a game of chess - you need to be completely up to date on what's available to ensure you understand your opponents potential next move."
Murtagh said there are no guarantees that students won't be 'tempted by the dark side' but said if an individual really is intent on writing spyware or spam tools they don't have to go to the lengths of enrolling in University courses.
"This information is all freely available on the internet," said Murtagh.
But not everybody in the industry is in favour of the idea.
Pete Simpson, ThreatLab manager at Clearswift, expressed shock that the university has re-opened old wounds and criticised what he sees as the unnecessary risk of training students to use techniques which can jeopardise the safety of internet users.
"When the University of Calgary first caused controversy with the virus writing course, their dubious defence was that only by writing viral code could a student fully understand and be able to protect against real viruses, but I'm sorry, that argument really falls flat for spamming tools."
Clearswift's Simpson believes the saleability of spam tools may create too much of a financial temptation for hard-up students.
And unlike with viruses the covert nature of spyware and spam tools means it may be even more difficult to trace any abuse back to students at the university if they do stray.
The university threatens students with a fail and prosecution if they are involved in any irresponsible or criminal use of malicious code.
Comments
There are 9 comments. Join the discussion
1. Lindsey Rockwell
It's about time to disclose all the vulnerabilities in Microsoft products.
All those learning to write viruses will learn how to protect them selves. Of course malicious students might abuse their knowledge to spread old- and create new viruses.
A university course is not the only way to learn that. The Internet as a whole is very good source of information if you want to create havoc.
2. anonymous
Many people know how to create a fire and I know a few how can manipulate E.Coli and realy bio viruses. Now are thes individuals an arsonists or bio-terrorist? OF COURSE NOT!
Kudos to UC for offering such a course mind a free and educated society can make life safer and improve it all around. Of course with the good comes the bad as this universe offers very FEW absolutes.
3. Roj Ash
"Pete Simpson, ThreatLab manager at Clearswift, expressed shock"... Does this mean that his staff don't know anything about such subjects? Or are they somehow intrinsically more trustworthy than other people?
4. w4r1or6
A university with a dynamic curriculum that seeks to teach student proactively should be praised. Unlike some university that simple wish to collect funding from corporation at the expense of hard working parents and students.
It seem to me that some universities have some sort of "flavor of the month" curriculum (i.e. MIS, CIS, AIS, FIS, and all the other ISes)
CM is teaching what the corporations and governments feel that we are not ready to understand. Why should someone be able to tell YOU what the hell you're ready or not ready to understand?
Pete Simpson and his cronies are a bit despotic in there illogical thinking.
Good for you CM
5. wangcheng
I think it can improve student's intersting about code
6. Kyle Larsen
I guess they are not teaching abstinence. What might be valuable to teach is how to prevent, detect, identify, and remove unwanted software. Teaching a bit of computer forensics gives a student more valuable and marketable information than writing malicious code ever will.
They should expect the people they admit to their university to already have the capability to write malicious code. That is trivial. We should expect the universities to teach ethics and skills that will be valuable to both students and industry.
7. anonymous
I it's a good idea to have this type of course, because no we can see what people are really thinking.
8. anonymous
They're NUTS! Why not teach bomb making as well?! Bomb making is probably illegal, as is spamming, scamming and propogating viruses, worms, trojans, etc, so if they teach how to spam the world, why not teach them to blow it up at the same time?! What HAS this world come to?! Is there NO common sense any more?!
9. Haydn Rees
Fyi, in academia, bomb making is called 'organic chemistry', or possibly nuclear physics, depending on what material you are making the bomb from.
You must know how to do something as a poacher before you learn to be a game keeper. If you don't know the techniques, how can you expect to stop them?
A course of ethics should be mandatory with each virus course. Otherwise it a straight 'Red Queen Paradox' race between coders and security. UC equips their developers very well by the sounds of it. Power to their elbow.