[unisog] Sightly OT: Re: [unisog] University virus-writing course?

Pascal Meunier pmeunier at purdue.edu
Thu May 29 14:27:38 GMT 2003


On 5/28/03 7:59 PM, "Phillip G Deneault" <deneault at WPI.EDU> wrote:

> I had a professor who was interested in creating a research project.  It
> was to be a grand security system encompassing dynamic intrusion
> detection, malware defeating agents, and some kind of unspecified
> central management system.  I read his proposals and his timetables.  At
> its peak, the project would employ or involve no less than 20 people
> including about a dozen grad students, several full time staff members,
> and about a half-dozen faculity.  The project would run its course over
> four years.

This sounds more like a software engineering project than a research
project;  if so it should be funded by venture capitalists and not research
money.  Is he a software engineer who has been involved in a project of this
magnitude before?  Do they have a professional, full-time project manager
(not a faculty member) worth his salt?  People tend to underestimate
software development, management, architecture, support and security
problems.  

I think I understand your concerns, and if I was involved, I'd question why
the live remote testing is needed, and suggest instead that they have a
remotely accessible isolated test environment, where they would login using
ssh or ssl into a single box that would firewall them off and serve their
requests and present them with the results.  Live attacks on the internet
sound like a very bad idea.  There *will* be bugs in their attack software,
and bad commands *will* be entered.  People need to be protected from them.

Cheers,
Pascal Meunier, Ph.D., M.Sc., CISSP
Assistant Research Scientist
Purdue University CERIAS
Recitation Building
656 Oval Drive
West Lafayette, IN 47907-2039

+1 (765) 494-7841 (main)
http://www.cerias.purdue.edu/




More information about the unisog mailing list