[unisog] University virus-writing course?

John Stauffacher stauffacher at chapman.edu
Thu May 29 02:20:49 GMT 2003

Its kind of interesting, this whole topic. Lets take it out of the construct
of Virii and Malware -- and put it into some simpler terms. Take your
college chemistry class, or better yet a botany class. Can your students not
create illegal drugs, and or grow contraband? Even your High School wood
shop class allowed you to make weapons that were considered "not allowed" at
school, or the pottery class in which you could make other devices that were
not so legal. The point of the matter here is, Academia would not be
anywhere if people sat around afraid to explore. I agree with SOPHOS this
may not be the best thing in the world to do -- giving enterprising kids the
ability and training on writing malicious code -- maybe not the smartest.
But what if...what if one of those people comes out of that class and writes
the next big virus killer, the next "big thing". Would it not then be worth
it? One individual succeeding in doing something for the greater good of the
whole; juxtapose that with the counterpart. The one individual who comes out
of class and writes the next super-virus; well - now SOPHOS has to actually
do something (besides writing virii themselves to stay in business) and find
a way around it. In the University setting we are always going to come
against this wall of Academic Freedom vs. Individual Rights vs. "The
University". The balance becomes compromise, and responsibility. If you're
going to teach a class such as this, make damn sure that code doesn't leak
out, or is some how safe guarded against misuse. Offer strict penalties to
those who break the rules. Take all the computers used off *ANY* network and
considered them tainted from the moment the student sits down at them. Would
teachers do this? Probably not, so SOPHOS kind of does have a platform to
stand on, to them it looks like an impending danger. Sort of like the old
lady who complains because cars drive too fast down her street, ever since
they raised the speed limit to 45mph -- has anyone been hit? No, but the
possibility exists therefore she is making a stink about it. The minute
somebody does get hit -- she's right there with the "I told you so". If I
were in any administrative role in this whole effort, I would probably start
small and work big. Offer a small class on the subject with more book time
than anything else -- show the AV community that you mean no harm and can
act responsibly. Maybe even invite them in.

Just my $.02

-John Stauffacher

John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
"If the only tool you've got is an axe, every problem looks like fun!"
"it's a lot harder to ask permission than forgiveness."
"Success is something I will dress for when I get there, and not until."

-----Original Message-----
From: Jim Dillon [mailto:Jim.Dillon at cusys.edu] 
Sent: Wednesday, May 28, 2003 3:53 PM
To: Martin Sapsed
Cc: SANS (E-mail)
Subject: RE: [unisog] University virus-writing course?

I basically agree with the comments put forth previously on the "Virus and
Malware" course.  One observation I had countering this was this quote (if
indeed it is accurate outside of its context.)

"developing malicious software such as computer viruses, worms and Trojan
horses that are known to wreak havoc to the tune of billions of dollars
world-wide on an annual basis." 

The wording is unfortunate, in that it seems to be encouraging the study of
developing "malicious" software and "wreaking havoc".  It does appear to me
that Universities do have some responsibility to support social ethics.
Acting in a malicious manner and wreaking havoc should not be supported.
Understanding how viruses and malware are created is useful.  A virus or
application really isn't a "bad" thing in and of itself (its really neutral)
until it is executed or handled irresponsibly and causes someone else harm.
Academic freedom should not include the freedom to encourage malicious and
damaging social activity.  I'm pretty sure that with full context this class
wouldn't really support such activity.  If it did, then SOPHOS would have a

I think the advertisement for the class, if it did carry the tone SOPHOS
proposes, could have been done more responsibly.  I don't think that's an
argument that should be used to say such a class is bad.  On the contrary,
understanding your "enemy" is a key skill in negotiating, and in war and
conflict.  To not gain such knowledge leaves you at a disadvantage. Like the
rest of the commenters, SOPHOS is being a bit self serving, and I don't
agree that having classes that teach about virus creation is irresponsible,
rather, it really is necessary to build good defenses.  The university might
have been a bit more careful in its wording/approach.  Of course again, this
is assuming that the phrase quoted would hold up as an affirmation of
malicious behavior if read in context.  I have a feeling it wouldn't carry
that tone if you read the whole context.  My vote, SOPHOS gets the egg on
their face this time.  You can assert almost anything out of context.

Best regards,


Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: Martin Sapsed [mailto:m.sapsed at bangor.ac.uk]
Sent: Friday, May 23, 2003 8:23 AM
To: unisog at sans.org
Subject: [unisog] University virus-writing course?


I've just noticed this snippet referring to a longer article in a Sophos 
E-news bulleting. Is this really news and do people here have opinions?

Sophos reacts with surprise and disappointment to the news that
the University of Calgary in Canada is offering its students a
course in malicious virus-writing.




P.S. This isn't intended to be marketing for Sophos, I'm just a customer...

Martin Sapsed				
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

More information about the unisog mailing list