Do you really have to be a wolf to catch a wolf? How malicious does an IT security professional really need to be? These questions are at the centre of debate surrounding the introduction of a computer virus and malware course at the University of Calgary (Canada) which teaches fourth-year computer science students how to develop viruses, worms and Trojans. Antivirus vendors and security experts alike have been universal in their condemnation of the course claiming it will cause irrepairable harm and damage to the IT industry and unleash a generation of snarling graduates ready to cause untold damage to IT systems everywhere.
Sophos CEO Jan Hruska even released a statement warning that those who have engaged in writing viruses need not apply to the company for a job. Personally, I’m not convinced that a student with good judgement will complete this course and be transformed overnight into a rabid, virus-writing freak. We’re not talking Criminal Intent 101 here, but using the writing of viruses as a teaching method in a supervised laboratory environment. It really does come down to character, and ethics training is included in the curriculum.
Many of the largest security vendors offer “extreme” hacking courses to IT professionals offering participants the opportunity to get inside the mind of a hacker and gain comprehensive skill sets in the so-called black arts so that they can gain greater insight into protecting company systems. I am unaware of any of these participants leading the hacker underground into revolt after completing such a course; it is more likely they return to their mundane office existence with a more enlightened approach to protecting the keys to the kingdom. Joining the chorus of opposition to the course, TruSecure Australia security analyst Stuart Johnstone said it is based on a “fatally idealistic premise that makes an assumption that people are noble and immune from making errors in judgement”. He went on to say it is simply teaching students how to be malicious. There is no such thing as a secure laboratory, he said, pointing out that many viruses in the wild today exist because the author couldn’t resist the temptation of seeing how it spread in a network environment.
We all know about temptation and his arguments are not unreasonable, but let’s keep an open mind. Despite all the hysteria my only concern is how malicious are these students going to be if they graduate and can’t get a job. Drop me an e-mail to firstname.lastname@example.org and let me know if you’re a wolf.