Over two years ago, George Ledin wrote an essay in Communications of the ACM, where he advocated teaching worms and viruses to computer science majors. He stated in that essay:
Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.
This spring semester, George Ledin Jr. taught the course at Sonoma State University. He created a class that taught students how to design and execute malicious programs that can take over a computer, steal information, or cause the computer to erase vital information and need a complete overhaul. Ledin believes that teaching students how to write computer viruses will give them a better understanding of how malicious programs are made and the knowledge needed to create better defenses. The controversial class, which SSU officials call the first of its kind in the nation, has drawn heavy criticism from members of the computing community. Three security software development companies sent SSU hostile letters, according to Ledin, and have pledged not to hire SSU graduates. That threat did not stop 15 students from signing up for the course. To prevent any malware created during the course from endangering any computers on the Internet, all work was done in an isolated lab disconnected from the network. Ledin acknowledged that there is a danger that some student might maliciously release a virus, but like with other academic fields that deal with dangerous and controversial material, teachers must rely on the students’ ethics. To help reinforce those ethics, SSU assistant professor of philosophy John Sullins was added to the course as a second instructor, and continuously reminded students of the potential consequences. Ledin developed the idea for this class after writing an editorial emphasizing the need for better education on malware for an ACM publication. Ledin said that despite the criticism he plans to teach the course again. “There is a perception that this is a taboo topic and shouldn’t be taught,” Ledin said. “But if we are going to develop better security, we need to know how these programs work.”
It got a lot of press coverage. Here are some articles:
- Sonoma State University http://www.sonoma.edu/pubs/newsrelease/archives/001090.html
- The California State University http://www.calstate.edu/pa/clips2007/may/22may/virus.shtml
- PC World http://blogs.pcworld.com/staffblog/archives/004452.html
- Also here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070526/NEWS/705260309/1043
- And here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070522/NEWS/705220312/1033/NEWS01.
Bruce Schneier commented on this:
No one wrote a virus for a class project. No new malware got into the wild. No new breed of supervillian graduated.
Teaching this stuff is just plain smart.
One of comments on this course was:
I believe that anyone who criticizes Ledin should meditate whether the action of forbidding virus lessons could lead to a more secure computer world. This story remembers me something that I have experienced in my childhood. I was a teenager, I was supposed to have a lecture in human reproduction, but a group of parents have come to my school to complaint about the subject and the school representatives decided to eliminate the subject in the program. That was a similar situation, do those parents have educated their children with a strong moral? Do the companies who disagree with the classes would hire students with more strong ethics and moral because they couldn’t learn how to program a virus at the university? Do they know there are a lot of documents to do that? Are they trying to cover the sky with their hands?
Besides, the advantage of learning something with the guidance of someone with expertise is worth value. Should the academic members have the knowledge? Yes, they should!
So, should we teach students how to write viruses? This will probably cause many discussions in future.