College plans virus-writing course

This fall, the Canadian school is offering a class for fourth-year students titled "Computer Viruses and Malware," in which students will write and test their own viruses. The move has touched off a wave of criticism within the antivirus community.

Ken Barker, head of the school's computer science department, contends that such a class is needed to better understand what motivates those who write malicious software, which he says is a growing problem. In just the past 24 hours, McAfee has discovered some 190,000 new infected files, Barker said.

"Somebody who is suggesting we are doing enough really has their head in the sand," Barker said. Plus, school officials note that information on how to write viruses is already easily accessible.

Both those in favor of the class and those opposed agree that virus infections are costing corporations billions, particularly in the lost productivity that comes when an infection brings e-mail servers to a halt.

But David Perry, global director of education for antivirus software maker Trend Micro, said encouraging people to write more viruses is a bad idea.

"Why not have classes in hacking?" Perry said. "Why not have classes in all kinds of malicious computer activity?"

Perry rejects the idea that such training could lead to better bug fighters.

"I don't see there to be any educational value at all," Perry said. "You don't send somebody out to shoot someone so they understand what happens when somebody gets shot."

On the other hand, computer virus expert Fred Cohen contends that it makes sense to let students interact with viruses firsthand--even creating their own--provided that enough safeguards are in place to make sure that the computer bugs don't leave the classroom. A class of graduate students taught by Cohen did just that this past semester at the University of New Haven.

Cohen said that by writing their own viruses--as well as antivirus software to stop their creations--his graduate students learn how easy it is to create such bugs, how quickly they spread, and other knowledge of how such code operates.

At the same time, he rejected the University of Calgary's notion that students can get in the mind frame of those who distribute malicious code by writing viruses of their own.

Cohen's main focus is ensuring schools that offer such classes set up safeguards to prevent students' work from getting out of the classroom.

"It's not, in general, a very safe thing to write viruses," said Cohen, who also works for market analysis firm Burton Group. "It's easy to make a mistake."

University of Calgary officials say the school has taken appropriate precautions and will use a closed network and prohibit students from removing disks from the virus-infected labs, which will be secured 24 hours a day.

For his part, Trend Micro's Perry said there is little need to study virus writing at all, given the simplicity of most malicious code.

"Generally speaking, the people that release viruses into the wild are not very good computer programmers," Perry said. "If you are a very good programmer, somebody hires you to write programs."

But it is that very financial motive that Barker said will keep his school's students focused on preventing viruses rather than launching them.

"They are not really employable as virus writers," Barker said.

However, students who opt for the Calgary class won't be able to turn to antivirus software maker Sophos for employment after they graduate.

"Don't bother applying for a job at Sophos if you have written viruses, because you will be turned away," Sophos co-CEO Jan Hruska said in a statement. "The skills required to write good antivirus software are far removed from those needed to write a virus. With 80,000 viruses in existence there can be no excuse for teaching students on how to create more."