Malware How-to's Part of Computer Science Class

To make a point about the lack of education in computer security, a university professor offers courses in writing malware. Antivirus vendors don't buy the logic.

It's not easy to reach Sonoma State University Professor George Ledin these days. Thanks to a Newsweek article profiling his computer science classes with an emphasis on the creation of malware like Trojan horses and keyloggers, a lot of people want to talk to him. And a lot of people are mad at him.

Despite the predictable indignation and outrage by the antivirus vendors, whose software Ledin is showing future graduates how to circumvent, Ledin insists he is not creating future Slammer and Sasser authors out in the woods of northern California, just south of the city of Santa Rosa.

"The virus writers don't need me, they are not going to take my course," he told InternetNews.com. "I want to teach a generation of experts and technologists to be ethical and be aware and be knowledgeable and contribute something to it." Ledin insists that he is also teaching best practices in his class on writing good code, code that is not vulnerable to attack.

Not surprisingly, the antivirus vendors aren't having it.

"You don't have to write a virus to understand them and how to detect them," said Randy Abrams, director of technical education with ESET Software. "The time spent to write a virus is worthless. Any student at a college beyond the first few courses who can't write a virus probably shouldn't be there because it's not a difficult algorithm to write."

Joe Telafici, vice president of Avert operations at McAfee, is also skeptical. "Whether this class is helping or a gimmick is kinda to-be-determined in my mind," he said. "There's a lot of things more important in my mind than how to write a virus. Things like why does social engineering work psychologically, and what can we do about that. What is privilege escalation and how that contributes to insecurity and so on."

Contempt for the antivirus market

Newsweek noted the curriculum of Ledin's courses were full of contempt for the antivirus software market and that he didn't hold his fire at the size of the industry. Whereas there are a handful of browsers, word processors or spreadsheets, there are dozens of antivirus companies, all doing good business.

Ledin said there needs to be more open research, like there was with searching and sorting during the 1970s, or encryption during the 1990s. Phil Zimmerman, the creator of PGP encryption (define), was investigated and harassed by the government for years for putting PGP out there. Now it's the basis of a thriving company.

"Sure, [anti-virus companies] are doing something about the problem, but it's kind of arrogant for them to say it's up to them. It should be opened up to the academic world," he argues.

"Computer professionals know little or nothing with regard to malware. It would be as if a physician knew as much about microbiology as the average person on the street. That would be unacceptable. Imagine if doctors deferred all decisions to pharmaceutical companies. But that's what security professionals do with malware," he added.

"Our trade secrets are our competitive edges," replies Abrams. "If he thinks socializing our programs is the way to go fine but that still doesn't justify writing viruses.

"He's completely right, IT people don't know enough about security, but teaching them how to write a virus doesn't help them learn about it," he adds.

Telafici argues that teaching someone how to get around an antivirus program's signature database isn't showing them a whole lot. "It's proving something that is a given. You can get around any pre-existing signature technique. The bad guy always gets the first move, it's a matter of time before he figures out a way around it," he said.

This article was first published on InternetNews.com.






Comment and Contribute

 


(Maximum characters: 1200). You have characters left.