Home Your Tech Home Tech Learn how to write your own malware
As if malware is not already a big enough problem with script-kiddies and a thriving underworld market in readymade malware exploit kits adding to the agony. One university is now actively teaching students how to write viruses properly...

There is something of an 'Oh My God' feel to the Newsweek article which covers the story. It claims that Professor George Ledin is somehow trying to disrupt the IT security industry status quo: "His syllabus is partly a veiled attack on McAfee, Symantec and their ilk" it says.

The course in question, tackling computer-security issues, is conducted at the Sonoma State University, San Francisco. Professor Ledin, Newsweek proclaims, has showed his students "how to penetrate even the best antivirus software."

Security vendors are, perhaps understandably, more than a little peeved. This could well be more to do with the arguments emanating from the direction of the good Professor than the actual course itself.

Newsweek sums up the Ledin position as being, in a nutshell, that consumer antivirus products are useless in college students can work around them. They are nothing more than a $5 billion per year cash cow for the vendors.

Of course, not everyone who uses a computer is taking a college course which teaches them to evade security software protection, so the argument does have some flaws. But then so does the counter-argument that Professor Ledin is some IT Dr Evil turning geeks into cyber-criminals.

The course has actually got much more to do with churning out future computer security professionals who can join the fight against cyber-crime rather than Mini-Me miscreants. Sure, there is the potential for harm but then the same can be said of any course which teaches the relevant programming skills.

When the courses first started, the Sonoma State University said that "students are learning the intricacies of how computer viruses are constructed in much the same way biology students learn about the intricacies of bacterial organisms and other life forms that cause disease."

But what about the ethics of malware instruction, and what do the security vendors have to say about it all? Find out on page 2...


It quoted a philosophy professor, John Sullins, who was working with Ledin on the ethical perspective of the course as comparing learning about malware to learning a martial art. "Ledin's class provides students with an uncommon opportunity to learn" Sullins said "not only how to react and defend against malicious computer programs, but also how they are used and the logic behind their construction."

Perhaps most telling, Sullins claimed that "Ledin is like a sensei in a virtual dojo, he not only instructs his students in the nuts and bolts of the creation of malicious software, but he also guides their understanding of when one should, and shouldn't, use the skills they are learning in his class."

Ledin himself is adamant that his students are not in it to cause harm, and cannot do so anyway as they work within a totally sand boxed environment meaning there is no danger of their experiments leaking out into the wider networked-world.

And anyway, why the big fuss? The course has been running for some time now and was not even the first of its ilk. As far as I am aware that honour goes back to 2003 when the University of Calgary announced plans for a Computer Viruses and Malware course.

At the time, the then global director of education for security vendor Trend Micro, David Perry, said "Why not have classes in hacking? Why not have classes in all kinds of malicious computer activity? You don't send somebody out to shoot someone so they understand what happens when somebody gets shot."

No, but you do train policemen and soldiers in how to use a weapon, and they do train for shooting people in highly realistic simulation environments. Very little difference, in actual fact, from teaching the mechanics of malware within a safely sand boxed lab.

Not that this cuts the mustard with security vendors, most of whom simply do not employ anyone with a history of creating malicious code as a matter of policy. And that, it seems, would include doing so at college...


Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.







Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities