A Public letter to the University of Calgary

My name is Fridrik Skulason.

I have been developing anti-virus technology for 14 years. I was for many years the technical editor of the Virus Bulletin - the leading specialist publication in the field of viruses and related malware, and I am one of the founding members of CARO (Computer Antivirus Research Organization), which includes the leading virus experts from most anti-virus companies.

I read the article at http://www.cpsc.ucalgary.ca/News/virus_course.html with considerable interest and I do have a few comments on the points raised there:

"The course will prepare the newest computer professionals with the expertise needed to work in a computing environment which includes more than 80,000 computer viruses and other forms of malware."

I just wanted to make sure that you are aware of the effects that participation in the course may have on the students' future career. Most anti-virus companies (including ours) have a policy against hiring former virus writers for anti-virus work. What this means is that in the event that the students actually learn something useful in the course, they will most likely not be able to obtain employment in the anti-virus industry due to their participation in the course, and thus not be able to contribute to actually solving the virus problem.

"The current approach of reacting to the viruses is simply not working."

While this is true, it has more to do with flaws in human nature - as long as 97.3% (according to the research of Dr. Vesselin Bontchev) of people do not react in an optimal way to a virus infection, viruses will continue to spread. I fail to see how development of more viruses will help in that regard.

"Some detractors claim that teaching students about viruses is "wrong"

Nobody has made that claim. If you had decided to hold a course on "Detection and analysis of malicious software", nobody would have objected. You would have received the support of the anti-virus industry and other academics instead of the condemnation you are receiving now. With over 80.000 viruses in circulation, there is plenty to learn from dissecting and analysing those that exist - writing more viruses will simply not produce any new benefits.

"Further, a critical element of being able to stop these viruses is to have sufficient knowledge about them to be able to write them."

This is not so. First of all, over two thirds of existing viruses are created by modifying existing variants. It does not take much skill to be able to modify virus source code in that way - a reasonably intelligent 10-year old kid can do that. Is that all the skill you are going to require your students to demonstrate?

There are a few virus writers who have been able to write code of a quality high enough to indicate that they could have been writing "serious" code (including anti-virus programs), had they decided to - The virus writer who went by the name "Vecna" is one example that comes to mind, but the bottom line is that the skills required to write anti-virus programs are far, far above those required to write viruses - an important point that you utterly fail to address.

Most virus writers are simply not of that caliber...forgetting the "script kiddies" and those that only modify existing viruses, the remainder write so bad code that (assuming the code shows their true abilities) they would have a hard time getting a real programming job.

"Is there another way to teach about stopping viruses without providing adequate knowledge so that the students could write a virus? The answer is simple: No."

The knowledge required to write a virus is a small subset of the knowledge required to detect viruses. Real computer virus experts also agree that writing viruses is ethically unacceptable - a position which you sadly do not seem to agree with.

"We have to wonder why the anti-virus software companies are so opposed to development of software that could prevent viruses from proliferating."

Anti-virus companies are not opposed to such development. Anti-virus companies are opposed to anything that appears to legimitize virus-writing in any way, shape or form. Your university course will produce no real benefits for antivirus companies or for users. Its only long-term effect will be a black mark on the reputation of the University of Calgary, at least as far as computer security professionals world wide are concerned. In other words, you will not be trusted in the future.

"Protecting the Learning Environment."

I have a few comments regarding this section. It says that "No removable media will be taken out of the laboratory." I hope that this implies an armed guard at the door, doing a full body search of the students as they depart, because anything else would be insufficient. But what about things like printouts of the virus source code? Assuming that the students are really able to create a working virus, I sincerely hope that they will not be able to take home a printout of it, only to type it back in on their home machine. I would very much like to see some assurances in this area.

"Anti-virus community: We have been in contact with members of the anti-virus community and they have offered to help us in delivering the course and in developing its curriculum."

There is also the question of what if some student manages to smuggle a virus out of the lab and releases it. Does the University's liability insurance cover any potential damage the virus might cause.

Members of the anti-virus community, including myself, would have been more than willing to help you develop a course on malware analysis and detection. However, should you persist to include the creation of viruses, I expect that all such offers will be withdrawn. No self-respecting anti-virus researcher would want to damage his reputation by being associated with a virus-writing course.

"Most of this community accepts the argument that stopping viruses requires sufficient knowledge to also write a virus so they are willing to work with us."

The vast majority of the anti-virus community condemns the part that involves writing viruses, considering it ethically unacceptable, pointless, and outright stupid. On all mailing lists in the anti-virus community, all real virus researchers have agreed that what you are doing is unacceptable, and simply stupid.

You may be secure in your academic ivory tower, not caring that your course is going to help legitimize virus writing, and will only lead to more viruses being written in the future - more problems in the real world which YOU will be responsible for.

You create a mess, and then we have to clean up after you.

Shame on you!

2014 © CYREN · Privacy Statement