i wrote about one instance of academic malware writing not too long ago... in that case a virus was made to prove that viruses could be a threat on what was essentially a tricked out windows box (paging captain obvious)...
another pair of incidents have grabbed people's attention recently even though they aren't exactly new... one involves mobile malware created and released for download by the university of santa barbara which symantec actually linked to and then quickly removed the link (thanks guys, it's nice to see i'm not the only one trying to follow an anti-malware linking policy) and which predictably (and rightly) drew criticism...
and of course there's also our old friends from university of calgary (who gained infamy for running a course where the curriculum involved writing viruses, which many people spoke out against) deciding to branch out into spam and spyware... this too drew criticism, and rightly so... if you're anti-drugs then you don't create/use/sell drugs, if you're anti-violence then you don't create violent situations (at least not intentionally), so how can you pretend to be anti-malware if you create malware? have we forgotten what the prefix anti- means?
well, not everyone has forgotten what it means - the anti-malware industry, for example, remembers quite well and for the most part will not hire those who create malware (although not all sectors of the anti-malware industry are as principled as others)... ed moyle thinks the av industry is being unfair to punish students for taking such courses, but he misses the point - it's not a punishment, it's a consequence... there are plenty of fields where previous breaches of the fields' mores disqualifies you from being employed in those fields... police, firefighters, even school bus drivers have to be people you can trust not to do something that is a taboo in the context of their respective jobs... any job you can think of has a similar requirement because all jobs involve trust at some level... i hardly think it's unreasonable to expect that people who create malware shouldn't be able to get jobs in the anti-malware industry...
on the other hand, when a professor or academic adviser teaches or endorses this type of pursuit knowing full well what the consequences will be for the students (and the professor in question most certainly did), certainly more than the students themselves, then shouldn't the finger of blame spend some time pointing in his general direction? and if the professor later compounds that affront by branching out into addition malware fields so as to disqualify his students from even more segments of the anti-malware industry, can there be any question about whether he's serving his students' interests or if he's teaching them material they'll actually be able to use in the fields they would otherwise expect to be able to use it in (i know if i learned about viruses i'd expect to be able to put it to use in the anti-virus field)...
of course proponents of this kind of training will talk a good game about needing to understand how malware works, but what most fail to recognize (or perhaps they're just hoping your own thinking is sloppy enough to miss this) is that learning how a thing works and learning how to make that thing are actually quite different... learning how to make a thing is not required in order to learn how it works - i don't need to know how to make a shiv in order to know how a knife works, i don't have to learn how to build a car in order to make it go... moreover, just because you wrote malware X doesn't mean you know how it actually works, all you really know is how you intended it to work - making malware doesn't really teach what you'd expect it to... were these malware creation activities to be replaced with reverse engineering of existing malware, the students would learn not only how the malware worked but they would also learn a skill that would be directly applicable to a career in the anti-malware industry and they might even wind up being sought after by multiple competing anti-malware vendors... wouldn't that serve the students' interests better? wouldn't that better prepare them to use the knowledge they gain in the field it applies to best?
0 comments:
Post a Comment