CAOS Weekly Philosophy Question: Virus and Spyware 101

Brad Nunnally · 2005-02-22T16:56:22-06:00 (Tuesday)

Here begs the question on how in-depth our training should be in computer security. Should there be courses given here, and in other computer science programs around the country, that teaches us the finer points of viruses, spyware, etc.?
Doing so would give us great knowledge on how to combat all the different forms of them that are out there. However, it could open a whole bag of worms being teaching people how to make these dangerous and sometimes illegal programs.

If the courses were available what kind of restrictions should be put on the students? Should a student, or someone who has taken the course, get a greater punishment if they are caught doing something illegal, then some thirteen year old hacking away in their basement?

Knowing the finer points of this subject would give us a great weapon against malicious hackers and crackers out there. However, a weapon is nothing but a tool, which can be used for either good or evil.

Below is an article about a school in Canada that is offering courses on this matter.

Malware 101

Brad Ty Nunnally
CAOS Vice-Pres.

"If you've hit bottom, you can only go up" ?

Tyler · 2005-02-22T17:56:43-06:00 (Tuesday)

I think that there shouldn't be classes on it, per say, but it should be taught in conjunction with other things. This parallels bio/chem students. I know a couple bio/chem majors, and they say they know how to make almost every kind of drug and explosive available. I really doubt they have much protest with people learning to make crystal meth but there's a big problem with a computer security classes that teaches computer exploits and ways to protect against them.

Jerry · 2005-02-25T10:24:36-06:00 (Friday)

The issue isn't what is taught, rather what you do with what is taught.

The topic should be taught. I'm a big proponent for having a hands-on security lab course. But in conjunction issues of ethics and law should be taught along with the subject.

Would it encourage hackers? No. If you were not already predisposed to unethical or criminal behavior then having the knowledge would not encourage you to do something unlawful.

Would it give hackers easy access to tools and knowledge? Personally I would hope the students we graduate would already have enough knowledge to figure out viruses and security systems work if they made the effort.

Bryan · 2005-02-25T10:51:58-06:00 (Friday)

Unfortunately Dr. Weinberg, I know some of the students that have graduated...and I'll always wonder HOW they graduated :-P However you are right, there is so much in the computer science field that is only vaguely touched upon or not even brought up at all. It is IMPOSSIBLE to touch everything. However I think this is one subject that SHOULD be taught. On that note, I think it would give the university HORRIBLE publicity. My father is the city editor for the Alton Telegraph. I love him dearly (most of the time) but I still won't hesitate in saying that journalists will use whatever angle they can to get a good story. he's often the first to admit it.

The journalists would come like sharks to a bleeding whale at an opportunity like that.

Jerry · 2005-02-25T11:58:50-06:00 (Friday)

Justifying having a course and publisizing the course aren't necessarily the same thing.

If the course was designed with ideas from the Certification for Ethical Hackers or the guidelines of the NSA's Centers of Academic Excellence in Information Assurance. Then you can spin it as keeping businesses safe or possibly Homeland security.

Elizabeth Weber · 2005-02-25T12:11:49-06:00 (Friday)

Avoiding certain buzzwords in the course title would effectively eliminate public scrutiny on the course (ie, taking the 'H' out of CAOS).
On teaching or not teaching the course, I don't think there's any reason such course content should be banned or otherwise looked down upon. It certainly proports educational value, it's inclusion in the curriculum would be strictly up to the administration (staff ability, availability, etc.).

Jarod Neuner · 2005-02-25T21:44:29-06:00 (Friday)

Careful, you might be proposing that the university teach something useful.

Irony aside, us Linux folks might argue that virus problems will only last as long as M$ lasts. The permissions system inherent to *nix is an extremely hostile environment for a virus to propogate through. That isn't to say that a virus can't exist (this is pretty thick), only that it is a pain to make it portable enough to be worth writing in the first place.

I will take this chance to make a plug. It would be...beneficial...if a chapter in CMIS108 was spent on safe web browsing. Since most of us will probably be reduced to monotonous IT duties at some point in our careers, it could be helpful for the general public to know not to look at 'pics from the beach' in the AIM away message or to understand what will happen to their computer when they install LimeWire, Aeris, and Morpheus. Just a thought...

Jonathan Birch · 2005-02-26T01:22:18-06:00 (Saturday)

To be fair, there already are a few classes which at least delve into computer security issues. My understanding is that a fair portion of the curriculum for CS547 (Network Programming) centers around network security. IS376 (Information Technology and Society) covers law relating to computer viruses, and also involves an overview of how they and other malicious forms of software operate. There's also a 490 course in computer security, but I don't know much about it.

I agree that the media would likely present a problem if any class specifically about computer viruses or other illegal CS activities was taught. I have an idea that there would be an uproar the first time a virus appeared that it was even slightly plausible to attribute to a student or alumunus. Still, universities are good places to test the boundaries of law and ethics, and I agree that it would almost certainly do more good than harm to offer such a course. Besides, SIUE could probably use the publicity.

Jerry · 2005-02-26T14:26:58-06:00 (Saturday)

If we were to offer such a course who would you pick to teach it?

I vote for Andrew (the good twin of course).

William Grim · 2005-02-26T22:35:21-06:00 (Saturday)

Hmm, who could teach it..

Andy is a good candidate.

Doesn't Edmond Abrahamian do a bit of system administration at his work? Perhaps he'd also be a good candidate. That man knows a lot of cool things; ask him to explain genetic algorithms sometime!

Tyler · 2005-02-26T22:51:35-06:00 (Saturday)

I would take any class Edmond teaches.

Elizabeth Weber · 2005-02-28T19:51:55-06:00 (Monday)

You know ... you could offer it as part of a "CAOS [the h is silent] lecture series". Get Andrew to teach one, Mr. Abrahamian could teach one, whomever you could sucker into it weekly, biweekly, monthly ...