Creating viruses in a university course, Part 1

A storm of criticism washed over a University of Calgary professor last year when he announced his intention to teach a fall course entitled “Computer Viruses and Malware.” Assistant Professor John Aycock shocked the anti-virus world by including his intention to have his undergraduate students write some malicious code.

Many experts objected on the following grounds:

* Writing malicious code is unnecessary in teaching how viruses, worms and Trojan horses work or how to fight them.

* Keeping the malicious code contained within the class of laboratory would be difficult or impossible.

* Some students would take the wrong message home about the ethical implications of creating malicious code.

* Students with experience writing malware would be unemployable by anti-virus firms, always concerned about the widespread rumor that they engage in writing viruses for profit.

Supporters of the course rejected these arguments, assuring critics that the laboratory would be well secured and insisting on the pedagogical value of such exercises. In addition, they stressed that virus writing would be only a small part of the course, which would also teach students about the history of malware, economic consequences of these programs, countermeasures, legal and ethical considerations, and wider principles of computer and network security.

After the course was over, there appeared to have been no breaches of security and university spokespersons insisted that they would offer the course again despite their critics.

It seems to me that writing real viruses may be less valuable to the students than analyzing a wide range of existing viruses and thinking about, designing, and implementing anti-virus mechanisms. However, given the relatively minor part that this exercise plays in the overall course, it also seems to me that critics may have overreacted.

More about this issue in the next column.