[unisog] Sightly OT: Re: [unisog] University virus-writing course?

Phillip G Deneault deneault at WPI.EDU
Thu May 29 20:47:56 GMT 2003

On Thu, 29 May 2003, Pascal Meunier wrote:

> On 5/28/03 7:59 PM, "Phillip G Deneault" <deneault at WPI.EDU> wrote:
> > I had a professor who was interested in creating a research project.  It
> > was to be a grand security system encompassing dynamic intrusion
> > detection, malware defeating agents, and some kind of unspecified
> > central management system.  I read his proposals and his timetables.  At
> > its peak, the project would employ or involve no less than 20 people
> > including about a dozen grad students, several full time staff members,
> > and about a half-dozen faculity.  The project would run its course over
> > four years.
> This sounds more like a software engineering project than a research
> project;  if so it should be funded by venture capitalists and not research
> money.  Is he a software engineer who has been involved in a project of this
> magnitude before?  


> Do they have a professional, full-time project manager
> (not a faculty member) worth his salt?  

The plan is to hire one but I don't know who so I cannot comment on 
his/her skills.

> People tend to underestimate
> software development, management, architecture, support and security
> problems.  

Which I think it something that has happened, or at the very least I think 
the professor is underestimating the amount of work necessary for running 
this project.  Even the timetable(4 years) seems small when you consider 
the fact that grad students are on a 2-3 year rotation and if anyone 
leaves(student or staff) there'll be at least 6 months of training on the 
project to bring someone else fully up to speed.  

> I think I understand your concerns, and if I was involved, I'd question why
> the live remote testing is needed, and suggest instead that they have a
> remotely accessible isolated test environment, where they would login using
> ssh or ssl into a single box that would firewall them off and serve their
> requests and present them with the results. 

When I suggested this concept to the professor when this was still in the 
very early planning stages, I was looked at with shock.  That I even 
suggested an isolated environment was to invite demons from the beyond 
into the room.  We have a public class B with very little in the way of 
firewall rules.  Sometimes, when I suggest that people need to be 
responsible for their actions even on an educational network, people 
overreact(and sometimes underreact).

> Live attacks on the internet
> sound like a very bad idea.  There *will* be bugs in their attack software,
> and bad commands *will* be entered.  People need to be protected from them.

I agree, but how do I explain this idea to someone who doesn't seem to 
understand information and network security?  When I suggested what you 
mentioned above, I think he took it as an insult, as if he'd never made a 
mistake in his life.  


Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            maddness of art." - Henry James

More information about the unisog mailing list