http://www.azcentral.com/news/articles/1101gns-spamcollege01-ON.html By Nicole Gaudiano Gannett News Service Nov. 1, 2006 College student Nathan Friess recently designed a computer spyware program that could invade your computer, log your keystrokes and even collect the password to your bank account. "It did a good job of hiding itself," said Friess, 23. "It also made itself relatively difficult to remove." If you think his sinister-sounding creation got Friess into trouble, think again. The spyware program was homework for the graduate student at University of Calgary in Canada. And it earned him an A. A hands-on computer security course at the school teaches students in a secure lab how to write spyware and spam -- and how to defend against them. It's the latest controversial class taught by John Aycock, a computer science professor who inspired outrage and an online protest from more than 100 industry experts when he introduced his computer virus-writing course in 2003. Aycock followed up with the "Spam and Spyware" class last year. He said the class gives students "a solid base upon which to construct better defenses." "Given that spam and spyware are frequently touted as major problems for our computer-dependent society, universities should be lining up to teach students about spam and spyware," he wrote in a July abstract on the course. Other computer security professors say Aycock's class is the only one they know of that actually teaches students how to write spam and spyware in a lab. Professor Richard Fordteaches a detailed course on malicious code at Florida Institute of Technology in Melbourne, Fla., and has walked his students through an analysis of the "SQL Slammer" computer worm that overwhelmed servers and slowed worldwide Internet traffic in 2003. "However the emphasis is understanding how it works instead of, 'This is how you do it,' " he said. "I don't think the students need to implement the virus to understand the virus." Aycock's critics question the security of his classroom lab and the benefit of such teaching methods. Representatives from McAfee and Sophos Internet security companies have vowed never to hire his students. "It's kind of like saying, In order to be a better doctor you have to learn how to torture people,' " said Joe Telafici, director of operations at McAfee Avert Labs. Aycock's students work in a laboratory with computers in padlocked cases operating on an isolated network. Security is even tighter in the virus-writing lab, with no electronics allowed in or out. But Ron O'Brien, a senior security analyst at Sophos Inc., warned that accidents can still happen. "There is a concern that something created in the lab could escape into the wild, whether it happens intentionally or unintentionally,"he said. Aycock said he knows of no students who have misused what they learned. Students must sign a legal agreement that they will abide by lab protocol. They also write an essay about why they want to take the course and get their photo identification checked at the door. "These are our best students," Aycock said. "They're well-grounded in law and ethics. I don't have any trouble sleeping at night." Friess, who may pursue his doctorate or a cyber security job, calls the criticism of Aycock's course "unfair." He said he has a duty to properly use his new skills, just as a chemistry student has a duty not to make pipe bombs. Another of Aycock's graduates, Reg Sawilla, said the malicious software he wrote in class helps him understand whether he's proposing effective solutions on the job at a research and development agency of the Canadian defense department. "The people taking this course are not people who want to learn how to do harm with it," said Sawilla, 33. "Their interest is in understanding how these things work to further the research." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Nov 02 2006 - 03:22:41 PST