Friday, June 15, 2007

Virus Composition 101

There's been a lot of negative press around Dr. George Ledin's computer science course at Sonoma State College ever since Ledin announced he would be encouraging students to write computer viruses and other forms of malware.

According to an article by Erik Larkin at PC Magazine, three unnamed security firms have even sent Ledin letters saying they will not hire any students that take this course.

This kind of thinking is as dumb as two bricks.

All malware (computer virus and spyware) researchers need to understand how viruses are distributed - just like soldiers need to understand how bullets are distributed.

Could people potentially get hurt by stray bullets/viruses? Of course - which is why training of this sort *always* takes place in a controlled environment - like a rifle range, a research facility, or an off-network computer science lab.

Are Ledin's trained researchers going to be better-placed to understand the threats we're seeing, based on this course? Of course they will be; "doing" results in "knowing".

Could some students potentially create some malware with a view to perpetrating evil at the end of this course? Maybe - but the same information is available from Barnes and Noble. And I very much doubt anyone would attempt this from inside a security software company - that would result in an extremely quick trip to jail.

Authentium to George Ledin's students: if you're interested in a job, we'll look at your resume. Based on your training, our assumption is that you're going to do a better job helping us detect and defeat malware than someone without this knowledge.

Update: I should have said "Sharp", not "Authentium" in the last para. For one thing, Robert Sandilands (who disagrees with this stance) does the hiring in the lab, not me.

No comments: