Safeguards will prevent malicious software from causing problems on the Internet, the school says.
Despite harsh criticism from some security professionals, the University of Calgary isn't backing down from its plan to have students develop viruses and malicious software as part of a course. The university says its "Computer Virus and Malware" course will take place this fall.
"After consideration of all the facts, the University of Calgary's Department of Computer Science will continue to offer the 'Computer Virus and Malware' course as originally planned," wrote Dan Seneker, coordinator of community relations, faculty of science, for the university, in an E-mail to InformationWeek.
Besides defending its decision to go ahead with the course, the university also outlined safeguards it will put in place so the viruses written by students in the lab don't end up wreaking havoc on the Internet.
"Is there another way to teach about stopping viruses without providing adequate knowledge so that the students could write a virus? The answer is simple: No. Anyone who claims they can fight a virus but could not write one is either uninformed or trying to mislead for other reasons," the statement reads.
"That is utterly ridiculous," says Pete Lindstrom, research director for Spire Security. "There are plenty of ways to gain the same level of knowledge other than the destructive knowledge of having students create new viruses. We don't teach sex education by having students have sex in class."
Students should spend their time studying how to write secure applications and operating systems and dissecting the tens of thousands of existing viruses instead crafting new viruses, worms, or Trojans, he says. "The tactics and techniques of destruction are not the same as those for control and protection," Lindstrom says. "It's a myth and misguided to believe that you have to be a hacker or a virus writer to stop hackers and viruses."
Others also see risk. "The interesting thing about a virus is not how it is written, but how it behaves in a network," says Bill Murray, senior research executive for security firm TruSecure Corp. "Many of the viruses currently in the wild exist because the virus author couldn't resist the temptation of seeing how it would act in a network environment. The problem is that college students are not well-known for their ability to resist temptation, and so it is just a matter of time before one of them turns one loose."
The university said the students will get training in ethics from philosophers, lawyers, and business professionals as part of the course. To keep viruses from escaping, the university said the computer lab will be locked at all times, no storage media will leave the lab, and the network in the lab will not be connected to any outside systems. As an additional precaution, the university said it will destroy all removable media, and each hard disk will be "scrubbed" at the end of the course, presumably to ensure that all viruses created will be wiped out.
Asks Lindstrom, "Are they going to erase the student's brains at the end of the course?"
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.