Malware writing teacher revives old rows

College instructor claims to be fighting industry monopoly.

As announced to much controversy last year, a course in computer security at Sonoma State University, California, is teaching students to write their own viruses, keyloggers, spambots and other malicious software. According to a high-profile piece in Newsweek magazine, the teacher of the course, Dr George Ledin, claims his classes have a specific focus on avoiding detection by security software, as part of a criticism of anti-malware solutions and the industry as a whole.

The Newsweek article quotes Ledin as supporting the 'anti-virus is dead' argument, based on his findings that targeted malware created by his students could avoid detection by traditional scanning techniques. He is also said to believe the industry is scamming consumers, maintaining a monopoly on security software and blocking technological advances.

Ledin plans to publish a book entitled 'Computer Security, Ethics and Society'.

The Newsweek article is online here, with bemused comment on Dr. Ledin's claims from Mary Landesman at about.com here and further analysis of the story in ITWire here.

05 August 2008

Tags: academia, ethics, malware. del.icio.us digg this

4 comments

So if a student that he taught to write malicious code creates something that infects our networks, we take him to the cleaners in court, have his house, car, kids anbd everything else he might own. thank the big G he's based in California where litigation is a way of life.

However, can someone get him to buy insurance, then there will be more to go round ;-)

by Barry, 11 August 2008, 12:22

> So if a student that he taught to write malicious code creates something

> that infects our networks, we take him to the cleaners in court, have his

> house, car, kids anbd everything else he might own. thank the big G he's

> based in California where litigation is a way of life.

Sweeping this professor's concerns under the rug is no way of dealing with the problem he raised.

Two issues:

- if somebody is able to write a virus which gets past your antivirus, even if you behave properly, from a computer security point of view, your antivirus, application or operating system (whatever contains the vulnerability) is crap

- in most cases (I'd say 99%), it is irresponsible and uneducated users which are at fault for having their machines infected, not the antivirus, OS, applications or internet access provider (user at fault includes using software known to be insecure)

So how would this professor be responsible for your machine getting infected?

However, if he's right, then it's just a matter of time until some self-educated black hat writes an unstoppable virus. Now, what do you prefer? Some responsible students being educated on the issue, and becoming able to highlight issues with current security solutions in advance of the black hat's virus becoming active, or having nobody prepared for such a situation?

The point is that by having more people properly educated about the innards of computer viruses and security holes in various applications on various OSes, it's more likely that a proper culture of computer security will establish itself eventually. By sweeping concerns about the quality of antiviruses under the rug, and maintaining a user base which has no clue whatsoever about how to evaluate a security solution, the problem does not go away.

As a comparison, would you argue about medicine students experimenting with mutating biological viruses, in order to improve vaccines and antibiotics? Why then is experimenting with computer viruses so bad?

by Florin Jurcovici, 23 August 2008, 16:32

Just came to my mind: thinking that teaching somebody to write a virus is bad is similar to thinking that teaching somebody to use a weapon is bad. I'd rather see a weapon in the hands of a trained, responsible person, than in the hands of a monkey which discovered by chance how it works.

by Florin Jurcovici, 23 August 2008, 16:33

As an average user who is interested in PC Security Issues I was mad when I first read the story, But Florin Jurcovici's reply has much merit to it when I think back on the thousands of dollars I have spent on AV's, Firewalls, anti malware software and innumerable games, not to mention my OS (Vista Ultimate) all of which are released with as much security as a screen door on a submarine. The trend of the software industry is just to market the software quickly and we'll work the bugs out later. This is the worst case of engineering I can think of. But a precious few make alot of money over the many.

On the other hand, what worries me is how many of this guys students share his alturistic means of enlightening the industry. This is the unknown variable that threatens to make the Internet more like a free fire zone than a place where one can converse with sources of knowledge,or shop or play games around the world.

Well, it never came with a money back guarantee now did it?

by Arclight em, 04 November 2008, 17:33