[unisog] University virus-writing course?

Steve VanDevender stevev at darkwing.uoregon.edu
Wed May 28 18:02:02 GMT 2003

Martin Sapsed writes:
 > I've just noticed this snippet referring to a longer article in a Sophos 
 > E-news bulleting. Is this really news and do people here have opinions?
 > Sophos reacts with surprise and disappointment to the news that
 > the University of Calgary in Canada is offering its students a
 > course in malicious virus-writing.
 > http://www.sophos.com/virusinfo/articles/calgary.html

Sheesh.  Am I undermining the field of computer security when I describe
to students why physical security is important by detailing the methods
by which one can use physical access to a computer system to bypass all
its operating system security?  Or when I give my students the
opportunity to attempt to break into their own systems via known
exploits (under very carefully controlled and supervised conditions, I
must emphasize) so they can see that it's really possible, and why they
have to defend against such attacks?

Clearly this press release is spun to Sophos's view of things, and I
would hope that whoever is teaching that class is sophisticated enough
ethically and technically to not just dump some number of new viruses
into the wild.  Of course, no sources other than those at Sophos are
quoted and no direct reference is made to the class materials so it's
hard to tell what the instructor's actual approach is.

 > P.S. This isn't intended to be marketing for Sophos, I'm just a customer...

You'd think they'd see this as a revenue stream; a possibly large number
of new viruses appearing all at once where they could get inside
information on how to recognize and filter them, which they could
probably sell for big bucks to the other anti-virus companies.

It should be observed that anti-virus companies have a strong incentive
to want _more_ new viruses out there -- they make money off of selling
updates and upgrades, so if the virus problem goes away, they go out of
business.  Are any anti-virus companies trying to attack this problem at
the source, by using their resources to encourage vendors to remove the
underlying security problems that allow viruses to exist in the first
place?  Not that I can tell.  Rather than trying to solve a problem,
anti-virus products are only capitalizing on its existence.

More information about the unisog mailing list