xkcd

[Durandal]

I currently attend the University of Calgary, and will be transferring from physics to computer science next year. One possible concentration is Information Security, and along with it some courses relating to virus and malware writing. There's a special high-security lab on campus, not connected to any other networks, with no electronics allowed in or out. This is where the viruses are written.

The professor who runs the courses, Dr. John Aycock (homepage here), apparently ignited a minor political firestorm in the security community when he originally offered the courses back in 2003. Articles:

Good summary article
Further detail, from campus newspaper
Opinion piece in support of the idea, well-written
Media article with negative slant, includes sections with students

I had a first-year programming course with Dr. Aycock this semester, and from a purely personal standpoint he is an excellent prof, one of my favorites.

Now the practical drawbacks - both McAfee and Sophos have publicly declared that any student taking these courses will never be hired by them, end of story.

What are your thoughts on the matter? Should computer science students be taught techniques of writing viruses and other malware? The courses in question are only available to fourth-year and higher comp sci majors. No auditing is allowed, applicants must sign a form releasing the university from liability, and only 16 applicants are accepted - a written essay on why you should be allowed to take the course is required. As well, there is a heavy legal and ethics component to the course.

Additional examples of courses that teach students how to write viruses:

California
San Fancisco

Those have only started in recent years; there are probably more out there, somewhere.

Personally, I think it's a good idea to learn such things in controlled settings. All of this information is floating around on the internet anyway. The people who get accepted are smart enough to make viruses that will destroy your computer, with the course or without it. This approach allows them to know their enemy, their capabilities, how they think, etc.

Note to mods: I'm not entirely sure this belongs in SB, so move it as you see fit. I'd like to gather people's opinions on what is really a less-than-clear-cut subject.

I'd like to see it continue here in SB, but I will remind participants that Serious Business worthy responses are required. -Az

[quintopia]

Some responses to about.com article:

"It is simply not necessary to write new viruses to understand how they work and how they can be prevented."

We learned how to smash the stack with a buffer overrun in our second year and had a project that required doing so. There really is something to be said for learning by doing. It really does work better than lectures.

Sophos points out that none of the researchers working in its labs write malicious code to achieve a better understanding of how to defeat viruses.

This seems to me to be a hole in Sophos' research. No, you won't need to know the mindset of someone who writes a virus in order to build anti-virus software, but anti-virus software is completely reactionary, and therefore is in some ways less effectual than it could be. If they were developing safeguards and patches to prevent the exploits used by viruses, they would probably need to be actively trying to find them in order to stay ahead of the market. Such a business model would probably be very profitable.

If (or more likely, when) one of these student-created viruses finds its way onto the Internet, who will be held financially, morally, and criminally responsible? It certainly seems the student has a ready defense - the professor made me do it - meaning the most likely candidate for prosecution may just be Professor Aycock or the University of Calgary.

Obviously, this is just not true, considering the student must release the university from liability. If a virus finds its way to the internet, it will be because some student moved it there from the protected network intentionally.
Now, this is a bit of a sticky point: the university and the professor should be doing everything in their power to prevent any data from leaving that protected lab. If one student copies another student's virus and releases it, how will anyone know who was to blame?
Probably the best way to prevent this problem is by setting up the protected network using special architectures and patched operating systems so that any virus that works on the network will not work anywhere else. Is this the case?

[Durandal]

Now, this is a bit of a sticky point: the university and the professor should be doing everything in their power to prevent any data from leaving that protected lab. If one student copies another student's virus and releases it, how will anyone know who was to blame?
Probably the best way to prevent this problem is by setting up the protected network using special architectures and patched operating systems so that any virus that works on the network will not work anywhere else. Is this the case?

I'm not really sure, to be honest I have no idea where the lab even is. Students all have their own accounts obviously, but then again these people might be able to find ways around that if they were so inclined (with regards to copying another student's virus).

One of the articles I linked mentions 'padlocked cases', which might imply that there are no external USB ports or disk drives for use. Then again, there's also the restriction on electronics in the lab, which wouldn't be an issue if there wasn't some hardware-based method of transferring information.

I have his class in about an hour, I suppose I could ask him then. Although, making viruses that wouldn't work in the real world doesn't seem to fit the aim of the course.

[Jebobek]

A response to a snip from the first article:

Belthoff questions the wisdom of such an approach, asking, "Should we teach kids how to break into cars if they're interested in becoming a policeman one day? It is simply not necessary to write new viruses to understand how they work and how they can be prevented."

This is like asking "Should we teach med students how to dissect a dead body into bits and peices if they're interested in becoming a surgeon?" It is not necessary to understand how the body works, but in my belief it is acceptable because the student retains the information much better, because they are learning by doing. Along the policeman example, teaching someone how to break into cars may be useful for those who are in a specialized school regarding vehicle security. If they know how people are breaking in, they can later develop ways to prevent it.

I understand that more harm can come out of making viruses than cutting up a dead body, but with enough security measures in place the benefits can outweigh the risk. If these students could develop viruses that bypass security software (McAfee) then submit the information (without infecting the company) the security corporations could reap a large benefit.

[EdgarJPublius]

This is absolutely a good idea, as other's have said, learning by doing is almost always the best way of learning, the University seems to have covered it's liability quite well, and really, it's more to McAfee and Sophos' detriment that they aren't hiring these students than to the detriment of the program.

In fact, I'm almost positive that these two companies employ people who have written malicious code outside of such a controlled setting anyway (many other major computer security companies do) So I'm not sure how they justify not hiring these students.

[floodslayer]

Apologies for the anecdote, I'm trying to find articles on other schools with similar programs, but I'll stick with mine for now. I'm a Computer Science student at NC State, and we have numerous courses for undergrads and grad students that involve "teaching students how to hack" in one way or another. The classes I've taken generally center around lecture style coursework, with numerous labs asking us to execute various types of attacks (usually using well known tools rather than our own code, atleast at the undergrad level). For example, this is a lab using nmap to port scan /OS fingerprint a remote machine. These exercises are usually preceded by signing a waiver form, or at the least a half-lecture on the ethics involved. The activities are done on virtual machines on an isolated private network.

In addition to port scanning I've had labs that asked me to crack crypto, online and offline brute-force/dictionary-based password guessing, TCP session hijacking, DOS attacks, DNS cache poisoning, etc. Easily nine times out of ten I felt like I understood these types of attacks much better after completing these labs, and had a better understanding of what would be required in various protocols/applications to handle these attacks.

Now, on to the broader point. While these types of courses generally draw some controversy, especially from non-technical university admin folks or the exceptionally nervous, my experience is that most CSC faculty agree that these things are useful. Now, there does exist an argument that creating and testing new viruses is fundamentally different from learning to use security tools that are already widely available. But that difference doesn't center on the knowledge the students gain, but simply the fact that new threats are being produced. It certainly doesn't seem to justify refusing to hire these students. How is the mentality/work-ethic of someone who has written a virus for university different than someone who has performed a man-in-the-middle attack or created a bulk-mail tool ??

My feeling is that as long as the actual threats produced don't find their way onto the internet, then we can only gain from it. But that's really not any different than saying teaching students about network security is good as long as they don't try to DDOS their neighbors.

One further (even broader) point is that all knowledge is meaingful, powerful, and most is potentially dangerous. We don't refuse to train pilots or chemists due to past terrorists attacks, we don't refuse to train and arm our military despite the inevitable effect on violent crime [citation], and we really shouldn't refuse to equip IT professionals with as much knowledge as possible about potential malware threats. If what they're doing is dangerous then it should be contained, and if the knowledge is dangerous then they should be adequately instructed and monitored with regards to professional ethics.

[Comic JK]

No one has yet mentioned explicitly that there might be legitimate uses for malware, just as there are (most people agree) legitimate uses for bullets.

It seems likely that future wars between developed countries will involve hacking as well as physical attacks, and thus it is in the interests of the US to have some people available who can practice offense as well as defense.

[invisibl]

Hmm

If there is no class to learn how to write these types of things then where do McAffe and Sophos for example get their staff from?

So I wonder:Is it better to have informally self trained ppl trying to prevent something that flourishes away from the scrutiny of the public eye and therefore away from being intensively studied and challenged?
Or is it better to have the process formalised and have groups of ppl that can share experiences and knowledge and therefore assemble a "larger than the sum of its parts" approach..

Please forgive my ramblizations it is very early and My head hurts but I do wish dearly that I had time and access to this type of education ...

Good luck with taking this to the OP.

I have envy.

[Daywraith]

Personally I'm a big supporter of security via education as opposed to security via obscurity. Indeed I'm currently procrastinating instead of studying for my Certified Ethical Hacking exam.

It seems like it could be a very useful course for students looking for careers in cyber-warfare.

I don't think extreme methods for locking down the system would useful. Simply locking all the cases and having no method for digitally copying the information should be sufficient. Beside if the students actually understand the course they should be able to recreate the code form scratch outside of the network anyway.

[Poochy]

Now the practical drawbacks - both McAfee and Sophos have publicly declared that any student taking these courses will never be hired by them, end of story.

Thank you. I now know not to buy anti-malware stuff from McAfee or Sophos.

There's the old sayings about "know your enemy" and "it takes a thief to catch a thief." There's also another saying that "an ounce of prevention is worth a pound of cure." To fight malware, it sure would help to know how creators of malware might think, what routes they might take to try and attack a system, and so on. If you, as a white-hat, can find an exploit before the malware creators do, then you'll have a considerable head start in the race to patch up the hole.

This isn't just in theory, it's worked in the real world: The infamous "hole in the Internet" was an exploit in the fundamental workings of DNS that would have been disastrous effects if black-hats had found and exploited it before it had been patched. Thankfully, the guy who discovered it was a white-hat, Dan Kaminsky, and he discovered it only because he knew how to do black-hat-style cracking. The end result was that the hole was patched up before anybody outside of the small trusted circle knew how to exploit it. Had the black-hats found the hole first, it surely would've been patched up quickly, but chaos would most likely have erupted in the brief period of time in between. A reactionary approach would not have worked well here.

To make a long story short: Instead of playing a constant game of cat and mouse, try setting up some mousetraps. The latter is what this course does.
To make a short story long: See anything by Charles Dickens.

[Carnildo]

There's the old sayings about "know your enemy" and "it takes a thief to catch a thief." There's also another saying that "an ounce of prevention is worth a pound of cure." To fight malware, it sure would help to know how creators of malware might think, what routes they might take to try and attack a system, and so on. If you, as a white-hat, can find an exploit before the malware creators do, then you'll have a considerable head start in the race to patch up the hole.

It's not a set of skills that teaches you how to find exploits, it's a mindset: "How could I abuse this functionality?" Knowing the tools of the trade (port scanning, buffer overflows, etc.) is helpful but not essential: both of the viruses I've written simply use standard functionality of their hosts in a way that people don't expect.

[Indon]

Looking at articles on the subject, it seems clear that hiring a former black hat has been considered risky, but potentially rewarding as well, so long as it's gone about properly. (Of particular note is the casual mention in the second article that black hats that have served time tend to get picked up by the industry for security work)

How is this different, other than the fact that it's actually a much safer and more effective way to get the right experience into the hands of the right people while simultaneously guiding them in the right direction?

[ks_physicist]

Any company that refuses to hire people because those people have taken coursework to expand their knowledge base--and to expand it in a way that would directly and substantially increase their value to the company--is a useless company that should be discarded.

Still...the school should allow students to take the course as "independent study" with no record of exactly what course it was that you independently studied.

[Azrael]

Still...the school should allow students to take the course as "independent study" with no record of exactly what course it was that you independently studied.

A school granting degree credit without disclosing what the credit was for would probably have significant trouble keeping that degree track accredited.

[The Mighty Thesaurus]

No one has yet mentioned explicitly that there might be legitimate uses for malware, just as there are (most people agree) legitimate uses for bullets.

It seems likely that future wars between developed countries will involve hacking as well as physical attacks, and thus it is in the interests of the US to have some people available who can practice offense as well as defense.

Are you saying that waging war is a legitimate use?

[rath358]

No one has yet mentioned explicitly that there might be legitimate uses for malware, just as there are (most people agree) legitimate uses for bullets.

It seems likely that future wars between developed countries will involve hacking as well as physical attacks, and thus it is in the interests of the US to have some people available who can practice offense as well as defense.

Are you saying that waging war is a legitimate use?

Touche

I could see this being very helpful to anti-malware people. Understanding not only how a virus works, but how the writer writes it and thinks it through could provide deep insight in how to beat the virus.

[ks_physicist]

Still...the school should allow students to take the course as "independent study" with no record of exactly what course it was that you independently studied.

A school granting degree credit without disclosing what the credit was for would probably have significant trouble keeping that degree track accredited.

What, no one does independent research projects any more? Fine, call it Seminar.

[doskei]

No one has yet mentioned explicitly that there might be legitimate uses for malware, just as there are (most people agree) legitimate uses for bullets.

It seems likely that future wars between developed countries will involve hacking as well as physical attacks, and thus it is in the interests of the US to have some people available who can practice offense as well as defense.

Are you saying that waging war is a legitimate use?

This argument falls apart rapidly when you consider that it is very unlikely you can prevent others from using these means.
That is, it is much easier to question the use of bullets in waging war than it is to question their use in defending against it. I'm not saying there is no argument to be made (either is the analogy or the topic at hand), but the "can't we all just get along" argument will only get you so far.

I think Comic JK makes a valid point in that these students will be more valuable in such a future engagement, whether they're on the side of the aggressor or not. There's reason to believe that hackers in China have used technological means to attempt to give themselves an advantage over US military, which is probably as close as you're going to get to a real-world example of the hypothetical Comic JK is implying.

So, the response I'd offer to The Mighty Thesaurus is: waging- debatably legitimate, protecting against- probably legitimate, and preventing- really pretty thoroughly legitimate. And I'm moderately confident you could concoct hypothetical and theoretically viable examples of each.

The larger point, though, is that assuming we know to what use students will put their new found knowledge is unreasonable and unfair; stifling the pursuit of knowledge is unconscionable.

[Izawwlgood]

First of all, thanks Durandal for posting about an issue I had never thought about. I find the anti-virus companies stance to be juvenile and naive at best. If I were in the business of protecting computers from spyware and viruses, I would make this class a requirement for my employees.

No one has yet mentioned explicitly that there might be legitimate uses for malware, just as there are (most people agree) legitimate uses for bullets.

It seems likely that future wars between developed countries will involve hacking as well as physical attacks, and thus it is in the interests of the US to have some people available who can practice offense as well as defense.

Are you saying that waging war is a legitimate use?

But yes. War is a legitimate use. The notion that ceasing the arms program will somehow cause war to stop is unrealistic.
A friend of mine works for the government in some bioterrorism wing and most of his work revolves around creating and detecting very scary recombinant viruses. I would do this line of work.

[Certhas]

Now I am not a CS major, so this might be a stupid question, but why not use , say, an arcane version of Unix, or even better, Windows 95? Or OS/2? Or (non intel) MacOS9? In short something with an infinitesimal install base so as to inherently prevent the spread of the virus. Same goes for browsers, etc that you might want to exploit.

What is it you can learn by writing against a fully patched Vista machine that you can't learn by writing against a fully patched MacOS9 machine?

Also I think the reasoning of McAfee and others is political: they don't say that these people wouldn't be valuable to them (though they argue they are not neccessary) they say that their value is outweighed by the risk of creating an environment where Universities consider teaching these techniques as a normal part of a well rounded curriculum (as opposed to the limited access op described).

[Indon]

What is it you can learn by writing against a fully patched Vista machine that you can't learn by writing against a fully patched MacOS9 machine?

How to target a complex logical system specification such as this baby right here.

If you're gonna teach someone how to use a gun, you don't teach them using a blunderbuss - you use a modern weapon, so that they know how to fire modern weapons. Artillerymen don't train on cannons, etc.

[phlip]

Agreed with pretty much everyone who's posted... I know for me personally, learning how to pull off, say, a stack-smashing exploit, has decreased the number of times I've gone "meh, that buffer'll be big enough" without checking by far more than any number of lectures would have done. Such a course would have tangible benefits for any coder, not just virus and antivirus writers.

In fact, I'd love to see a study done... take application code from coders who know how viruses work, and coders who don't, and see which is more secure, and by how much.

[Indon]

How to target a complex logical system specification such as this baby right here.

If you're gonna teach someone how to use a gun, you don't teach them using a blunderbuss - you use a modern weapon, so that they know how to fire modern weapons. Artillerymen don't train on cannons, etc.

It occurs to me that I should elaborate on this a bit more, for clarity.

Cyberwarfare isn't just a type of combat, comparable to being an infantryman or an artilleryman. Cyberwarfare is ultimately a type of engineering field, first and foremost, and as such the 'fields' you fight in also dictate the 'weapons' you use.

Anyone can learn the general theory behind this sort of thing - but you can only get relevant 'combat' experience by fighting in a relevant environment, with the relevant tools.

[doskei]

Now I am not a CS major, so this might be a stupid question, but why not use , say, an arcane version of Unix, or even better, Windows 95? Or OS/2? Or (non intel) MacOS9? In short something with an infinitesimal install base so as to inherently prevent the spread of the virus. Same goes for browsers, etc that you might want to exploit.

What is it you can learn by writing against a fully patched Vista machine that you can't learn by writing against a fully patched MacOS9 machine?

The other problem with running a 'legacy' OS is that, as vulnerabilities are patched in modern versions of an OS, those vulnerabilities can be targeted in the legacy OS, which is no longer being patched by the manufacturer.
That is, if I'm a hacker, I know that ME is no longer supported by MS, and therefore not getting patches. As such, every time MS patches XP - a very different OS, but which is likely to have at least some similar code - that patch tends to come with at least some info on the vulnerability being patched. As such, I can write an exploit that assumes the same vulnerability exists in the legacy OS.

Obviously many many such exploits will not be ubiquitous like this, but you're likely to find a few. And since your targets have no means of updating their software to protect themselves, they're sitting ducks once you find a workable exploit.

Also I think the reasoning of McAfee and others is political: they don't say that these people wouldn't be valuable to them (though they argue they are not neccessary) they say that their value is outweighed by the risk of creating an environment where Universities consider teaching these techniques as a normal part of a well rounded curriculum (as opposed to the limited access op described).

Actually I think you've nailed it there. They're afraid of being exposed to liability, afraid they'll have no leg to stand on if one of their own employees is the source of a major virus. This would be hugely embarrassing to an AV corp, and would likely result in a due diligence lawsuit from shareholders. And they're afraid that the fact that this employee once took a course in malware will be too damning to escape without major repercussions.

That said, if I'm right I think it's a bull$#!* argument. They should be happy to hire these folks, knowing that even in a truly worst-case scenario, they'll have a chance to show a jury in court the obvious benefits to a 'white-hat' coder of taking such a course, not to mention the fact that they could bring up all the other students who've taken such courses and not gone to the dark side. And in the meantime, they might just sell a better product.

[Zhatt]

Considering that the people taking these courses would be putting money into it, I doubt many would put this education to use just making malicious viruses for fun. These people are obviously looking for a career and trying to expand their options.

If fact, offering the course itself might turn many would-be black-hats into white-hats now that they have a legitimate field to practice their skills.

[Indon]

And it's not like the curriculum couldn't get packaged with an ethics course about using your newfound superpowers for good (or at least, for legalstuffs).

[hocl]

Now the practical drawbacks - both McAfee and Sophos have publicly declared that any student taking these courses will never be hired by them, end of story.

That's an anti-trust lawsuit waiting to happen.

Then again, there's also the restriction on electronics in the lab, which wouldn't be an issue if there wasn't some hardware-based method of transferring information.

Couldn't someone just record the code on a camera phone?

[masher]

Then again, there's also the restriction on electronics in the lab, which wouldn't be an issue if there wasn't some hardware-based method of transferring information.

Couldn't someone just record the code on a camera phone?

or even, *gasp*, write it down?

or remember it?

[phlip]

Well, considering it's a class, I would hope they would remember it... or the important bits at least (enough to reproduce the rest later if necessary)...

Though, it'd be entertaining to go to a lab to hear the tutor saying "Now, I don't want you to remember any of this..."

[Steve]

Then again, there's also the restriction on electronics in the lab, which wouldn't be an issue if there wasn't some hardware-based method of transferring information.

Couldn't someone just record the code on a camera phone?

or even, *gasp*, write it down?

or remember it?

OPSEC. OPSEC. OPSEC.

Ask virtually anyone that works in a classified (be it government or corporate) environment, and they will tell you that the security measures are largely in place to prevent accidental breaches. A close second is making it onerous enough for anyone attempting to bypass it for malicious reasons that they are likely to be caught in the process. As we all know, virtually nothing can be made 100% secure, however the measures listed above to make it hard enough to prevent the vast majority of incidents.

On a seperate note, with all the added interest in the Air Force cyberspace command (or DHS or Exec. Branch or whomever ends up winning that pissing contest), I would imagine that the private/public contracting/consulting/gov. employ sector for preventing (largely) Chinese intrusions will be growing rapidly. Courses like this should prove a huge asset.

[phlip]

I suppose this is the sort of question Durandal would have to answer, but is the purpose of the isolated network to protect the outside world from malicious students, or to protect it from stupid students?

'Cause if it's the former, it'd not going to do a whole lot... even if they can't take that particular virus they wrote in the lab home with them to release, they're still being taught how to make them, and it's not like it'd be hard to reproduce the vital parts from memory/lecture notes outside of the lab. Really, short of screening the malicious students out of the class, there's not much that can be done about it... the OPSEC analogy doesn't work, 'cause it's not about people going into the lab and suddenly having access to certain resources that we don't want them taking out... the certain resources are the knowledge of how a virus works, and the students bring that in with them, from the lectures.

It seems more likely that the point of the isolation is so the students have a safe sandbox to do whatever they want virus-wise, without having to worry about anything getting loose in the wild via an accident of some kind. And if that's the case, then they only need to go so far as to protect from accidental leakage... no WAN/Internet access, no storage devices, nothing the virus could infect without the operator's knowledge. But currently there aren't any viruses that are designed to spread via a person accidentally writing down the source code in a note book, then typing it up on another computer and running it, without the person noticing. At least, not until I've put the finishing touches on it.

[Indon]

On a seperate note, with all the added interest in the Air Force cyberspace command (or DHS or Exec. Branch or whomever ends up winning that pissing contest), I would imagine that the private/public contracting/consulting/gov. employ sector for preventing (largely) Chinese intrusions will be growing rapidly. Courses like this should prove a huge asset.

I thought it was going to be an NAF?

Anyway, you can go out and learn to fire an assault rifle on your own, but the police will still hire you - in fact, you'd probably be more attractive to hire, despite the fact that you have the ability to flip out and go mass-murder a bunch of people from a clock tower.

So I don't see how security should really be a concern.

[Steve]

Really, short of screening the malicious students out of the class, there's not much that can be done about it... the OPSEC analogy doesn't work, 'cause it's not about people going into the lab and suddenly having access to certain resources that we don't want them taking out... the certain resources are the knowledge of how a virus works, and the students bring that in with them, from the lectures.

It seems more likely that the point of the isolation is so the students have a safe sandbox to do whatever they want virus-wise, without having to worry about anything getting loose in the wild via an accident of some kind. And if that's the case, then they only need to go so far as to protect from accidental leakage... no WAN/Internet access, no storage devices, nothing the virus could infect without the operator's knowledge. But currently there aren't any viruses that are designed to spread via a person accidentally writing down the source code in a note book, then typing it up on another computer and running it, without the person noticing. At least, not until I've put the finishing touches on it.

While it's true that in this case the protection is to largely to protect those outside the walls, the same principles hold true. This is the case in virtually any secure environment however: as an example I will take the civilian nuclear industry. It is important to a nuclear power to keep these technologies secured for both internal and external threats. We want to prevent malicious uses from the outside (bombs) and also to prevent releases from the inside (someone taking home radioactive material?).

It seems that the OP's class does this very well; outside threats are mitigated through screening and internal threats are mitigated enough through lockdown procedures.

Anyways, is it an NAF now? I can't keep up with all the different claims on that new group, although I wager that everyone will eventually realize that the Air Force and NSA have probably been doing this forever anyways and just need some beefing up, as this really needs to be seperate from anything political.

[Gelsamel]

The main reason McAfee and Sophos won't take those students is probably to avoid rumors that AV companies fund malware creation.

[Kain]

You know, McAfee and Sophos may not take those students, but I am willing to assume that the Federal government wouldnt be as quick to dismiss the benifits of having employees who can see the mindset behind the numerous attacks they apparently deal with each day...

Of course, the Neohapsis article just HAD to quote a professor from my university who would criticize the course...

[Philwelch]

I'd like to nominate a topic-move to somewhere in Analytical Machines, since I'm dubious that the SB community will be as knowledgeable on this as a more technical community.

Some responses to about.com article:

"It is simply not necessary to write new viruses to understand how they work and how they can be prevented."

This is a crock of shit (the about.com article, not Quintopia's response).

Computer science programs have a long tradition of learning by doing. Want to learn how compilers work? Write a compiler. Want to learn how operating systems work? Write a kernel. Want to learn how games work? Write a graphics engine. Write an AI.

Sophos points out that none of the researchers working in its labs write malicious code to achieve a better understanding of how to defeat viruses.

This seems to me to be a hole in Sophos' research. No, you won't need to know the mindset of someone who writes a virus in order to build anti-virus software, but anti-virus software is completely reactionary, and therefore is in some ways less effectual than it could be. If they were developing safeguards and patches to prevent the exploits used by viruses, they would probably need to be actively trying to find them in order to stay ahead of the market. Such a business model would probably be very profitable.

Who is Sophos, I asked myself. It turns out they're an enterprise anti-virus software provider—someone that sounds like an authority on this issue but isn't.

There are lots of places where you need to understand security vectors to write software. Antivirus software, though, isn't much higher up the chain than most application software when it comes to understanding security. Antivirus software usually means "scan these data sources for something that matches one of these patterns, because these patterns denote known virus code". It usually does nothing about fighting known viruses.

If you want a secure system, you need to write kernels, compilers, libraries, and so forth to protect against security flaws. And the best way to see security flaws in your software design is to be able to figure out, from the attacking viewpoint, how to exploit these flaws.

No one has yet mentioned explicitly that there might be legitimate uses for malware, just as there are (most people agree) legitimate uses for bullets.

It seems likely that future wars between developed countries will involve hacking as well as physical attacks, and thus it is in the interests of the US to have some people available who can practice offense as well as defense.

Are you saying that waging war is a legitimate use?

Are you saying it isn't a legitimate use? Pacifism is kind of like anarchy: it sounds peaceful and morally superior, but it doesn't work in the real world. Mainly because it requires immediate simultaneous total cooperation of everyone at once. In a world with 6 billion pacifists and 1 warmonger with a big stick, the warmonger is despot.

That having been said, future wars between developed countries seem unlikely, for well understood economic reasons.

[Babam]

Why did reading this thread summon a image in my mind of a future where CS students swear to become White hats, get a special white hat and a tatoo with a hidden id code inside, and if they are found guilty of black hat hacking after they are sworn in they are forbade from ever doing white hat hacking ever again, or even worse executed; depending on the severity of the crime.

[Vault]

There's always the possibility that the AV companies are attacking their credibility now so that they won't be hired by companies that will use them to fix all of the security holes. If that happened the AV people would be out of a job.

[Cleverbeans]

Now the practical drawbacks - both McAfee and Sophos have publicly declared that any student taking these courses will never be hired by them, end of story.

In the circles I run with McAfee's so called AV software is considered malware, so this only improves the courses credential for me. It's good to see them shooting themselves in the foot.

[achan1058]

Now I know never to use McAfee. Though, the company maybe saying in public that they would never hire such students, they can miss noticing such a course on the transcript after all.

There's always the possibility that the AV companies are attacking their credibility now so that they won't be hired by companies that will use them to fix all of the security holes. If that happened the AV people would be out of a job.

Rice's Theorem, this won't happen, and there will never be a perfect virus checker.