, The Associated Press 2003-06-11
First the University of Calgary announced plans to offer a class in writing computer viruses and other destructive programs. Then Wired magazine published the code of a virus-like program that caused mass havoc on the Internet this year.Both developments infuriated virus-fighting companies and illustrated the high-stakes dilemma of computer security: Do you keep vulnerabilities secret or spread the knowledge so problems can be remedied faster?
The antivirus industry is squarely in the first camp.
Dave Perry, director of education at Trend Micro Inc., considers the article in this week's Wired detailing the Slammer worm a cheap grab for attention with no educational or ethical justification. He likened it to pornography, saying its publication could loosen the standards of acceptable behavior in the computer world.
Slammer infected more than 75,000 computers within 10 minutes on Jan. 25. It slowed down the Internet worldwide, freezing up major Web sites and even bringing down some ATM systems.
Chris Anderson, Wired's editor in chief, said the article is a public service that demonstrates the Internet's "extraordinary vulnerability to that kind of attack."
The code for the worm, whose author has not been identified or caught, has been available online since the attack, but it hasn't been dissected in a major publication.
Still, even Perry acknowledged that the risk was small that the article could enable someone who was not already an adept programmer to create a new virus.
Slammer itself was based on a flaw in Microsoft code publicized by a researcher months earlier.
Microsoft had issued a patch for the vulnerable software, which runs corporate databases, but many administrators had failed to apply it.
With the Wired article's line-by-line analysis of how the worm worked, Anderson said he hoped to diminish the knowledge gap between virus-writers and virus-fighters.
"The people who understand them the best tend to be on the releasing side, whereas those who are on the protecting side should understand them the best," he said, echoing the rationale for the Canadian university's virus-writing class.
In announcing its plans last month, the university said students need to know how viruses work in order to develop more effective countermeasures. It drew analogies to how scientists fight biological viruses.
Similarly, some security companies offer hacking classes -- with attendance restricted -- to keep corporate computer administrators up-to-date on the latest tactics being used against them.
Only fourth-year students will be allowed to take the Calgary class. It will be held in a room with no network connection to the outside, and no discs will be allowed out of the room, the university says. When the course ends all removable discs used will be destroyed, and hard drives will be completely erased, the school adds.
The precautions have done little to counter disapproval in the antivirus community.
"If I'm a doctor trying to combat a virus like smallpox, I don't need to learn how to make a new, more lethal strain of smallpox," said Chris Belthoff, senior security analyst at Sophos Inc.
With more than 80,000 viruses known so far, there is no need for new ones, Belthoff said. Sophos has a policy against employing people who have written viruses and has said it won't hire students who have taken the class.
Researcher Sarah Gordon, who has worked with IBM Corp. and Symantec Corp. on virus protection, said that while the Calgary course would not necessarily be dangerous, it would be superfluous.
"Writing a virus is not rocket science. It's not magic. It's not anything anyone who knows how to program couldn't do easily if they wanted to," she said.
But the university contends that the industry's current defense against viruses is inadequate.
It's based largely on antivirus companies identifying viruses, then updating software for users' computers to detect them -- a "reactive" approach that can be blindsided by quickly spreading plagues like Slammer.
The organizers of the Calgary university course would not make themselves available for comment, but said in a statement: "It is time for critics to take their heads out of the sand and work with us to start developing the next generation of computer professional who will be proactive in stopping computer viruses."
Belthoff concedes that the current approach makes fighting viruses a "timing game," but said it's very successful as long as the antivirus companies act quickly.
Viruses have been the subject of similar debates for as long as they've been around. Mark Ludwig, a physicist, was heavily criticized for publishing "The Little Black Book of Computer Viruses" in 1991.
"The antivirus community was up in arms for two or three years. After a while they kind of got used to it," he said.
Ludwig, who went on to write "The Big Black Book of Computer Viruses" and similar collections, believes the antivirus industry thrives on secrecy and mystique and is loath to spread knowledge.
He calls the Calgary class "probably a good idea," and rebutted the notion that writing viruses is a simple matter.
"Anyone who's serious about computer security and anything related to viruses has got to know how they work in detail," he said.