Back in 2003, the University of Calgary started to offer courses in virus writing, much to the annoyance of the security industry. Well, the anti-malware industry: people outside that sector like Bruce Schneier tend to take a contrary view of the hands-on approach to understanding security threats. However, what we still called at that time the AV industry was pretty unanimous:
- Sophos commented
- Fridrik Skulason commented
- Vesselin Bontchev took the idea to pieces in an AVAR paper (and made some sound suggestions about alternative ways of teaching the next generation of anti-malware researchers what they need to know).
Professor John Aycock braved a hail of criticism and has attended a number of security conferences subsequently. I’ve never been able to accept the view that you have to write malware in order to understand how to detect/defeat it, but he is an intelligent and likeable man who has contributed to our understanding of the malware scene, for instance in the (now virtual) pages of Virus Bulletin.
I don’t suppose that the current vicious spate of ransomware owes much to the teaching practices of the University of Calgary. In fact, malware technology has changed so much in the meantime it’s hard to see how it could. And certainly I’ve no particular reason to suppose that any of the students who took that class lacked honesty and integrity any more than the rest of the population.
Still, there’s a certain uncomfortable symmetry in the fact that the University of Calgary has apparently just paid $20,000 CAN to a ransomware gang for decryption keys… I won’t say ‘what goes around comes around’ but I suspect there are those who will.