Round (V)X in the Debate on Virus-Writing Classes

PC World Associate Editor Eric Larkin blogged on May 22 about a new computer science course to be taught at Sonoma State University, in California. Apparently, the school will offer a class in virus writing.

However, Sonoma State’s computer science curriculum Web page does not mention a virus-creation course as I write this.

If Sonoma State’s virus-writing class is reality, then it wouldn’t be the first such controversial university course. Colleges and professors who have in the past offered courses on virus or malware creation have come under fire. At the same time, however, others have given conditional support for these courses.

So is it OK to teach virus writing?

Let’s revisit a recent debate on the subject: In 2003, Professor John Aycock of the University of Calgary, in Canada, announced that he would teach “Computer Viruses and Malware” in the fall. Security expert M.E. Kabay summarized the arguments of the critics of this course: It wasn’t necessary to learn how to write malicious code to understand malware; malicious code written for the class could be used (ahem) maliciously; students might feel encouraged to write malware if the ethics of their actions were not discussed; and the antivirus industry might shun graduates of the course as tainted. Perhaps the strongest criticism of the course, posted in the NTBuqtraq mailing list, was that there were already tens of thousands of virus and worm families for students to “dissect and study.”

The University of Calgary maintained that actual virus writing was only a small part of the course. The head of the university’s computer science department, Ken Barker, stated, “The better we understand something, even if we radically disagree with it, the more likely we are to provide effective mechanisms to counteract it.” He added that students would run their code in a tightly controlled laboratory setting. There would be constant emphasis in the course on the legal and ethical implications of students’ actions. Prof. Barker concluded, “After a careful review of the first offering and upon considering the ongoing need for this level of expertise, the University of Calgary believes that it is in the greater public good to continue to offer the course.”

Despite the care that went into the design of “Computer Viruses and Malware,” some experts still balked at the idea of teaching such a course. Professor Edward Felton of Princeton University said, “There is some merit to the argument that learning how to write malware””under very carefully controlled conditions””can  help one to think more clearly about how to defend against malware. But I would not teach a course about malware that way.”

Four years later we’re debating the same issue. We should reserve our judgments until more is known about the class: its title and description, how well it is designed and taught, what kind of emphasis there will be on matters of law and ethics, and what safeguards will be in place to prevent one’s homework from eating the computer.