The idea that a security company would discourage people from learning about something, particularly in a safe environment, is horrifying to me (someone who has worked in a security company). It seems like applying the policy way too tightly- there's a huge difference between a "virus writer" and "someone who wrote a virus in an academic setting and never released it publicly".
The real horrifying part though is the fact that the people who want to solve the problem are being discouraged from doing so by the thread of blacklisting. On one level it's immoral, on another it's self destructive. More schools should be offering classes like this.
Could explain why there are no good anti-virus softwares on the market! All I see are bloated monstrosities only able to catch the less harmful viruses.
Even before I switched away from Windows I never used them.
Certainly ten or more years ago, antivirus companies actively sought out virus writers. In those days the virus writers were more likely to be troublemaking kids rather than organised crime, and it was much more fun to be the gamekeeper than the poacher.
I don't understand why we need to have CHECKs in the first place. If everyone has to write some bullshit reasons instead of being blunt that they are just curious about how professional virus and malware is written, what is the point of reading those essays?
If we fear people start developing malware and virus, think about all those web design classes out there where students don't realize how vulnerable their implementations are. Think about all the free sec tools out there.
> Most anti-virus companies (including ours) have a policy against hiring former virus writers for anti-virus work
What? Who do they hire then? I supposed I am qualified because I never written a serious virus/trojan. Would I call rm -rf a joke? There was a guy discovered a way to create botnet by XSS a Gmail chrome extension two days ago. Would anyone call that some form of trojan?
My friend did this prank in a computer lab. He knows the local IP to each computer and they are sequential. He wrote a shell script which (1) screen capture the current screen on each computer, send that image to the adjacent computer, and then change the background.
I think your enemy can also be your friends. If people are curious, they will find a way to beat their curiosity. If they are technically smart, they can write virus that bypass AV scanner. Hey, those are the guys you want to hire. Are they suggesting that none of the researchers working for these AV labs have never written some form of virus or malware or Trojan prior to employment?
Back in HS, we did stupid shit like write joke DOS TSR virii that had easter eggs like calculators, ASCII tables and random text "screen savers" that didn't respect what you happened to be doing.
Also the computer lab was pure anarchy without supervision: the only rules were don't get the teacher in trouble, don't make 'em look bad and don't kill each other. Somehow, no one got caught hacking into the Pentagon or AT&T.
I don't get the point from the security companies.
Writing viruses will definitely give you the knowledge to understand and (at least try to) protect against them.
My very first "virus" was a batch file called win.bat that just scrolled profanity. It was called win.bat because that would make it execute before Windows loaded on a 95 system.
It brought the whole computer lab down after I manually "installed" it on each of the 5 machines one day.
This was in middle school, and yeah, my middle school was a joke. They ended up formatting all of the machines and the lab was down for half of the semester.
I wonder if instead of focusing a handful of courses on virus making we shouldn't instead re-brand the the whole endeavour with a more positive spin and focus on something that could be called 'nanogens' for instance, whose modus operandi would be identical to viruses, but their purpose would be to protect against their harmful counterpart and repair the host instead.
There is already malware that "protects" the host by detecting and eliminating other malware. The idea is that if you keep the user's system clean (except for your malware) then you will evade detection more easily.
If, as you suggested, someone released a virus designed to fix a person's computer, it would still be harmful in principle because you are making the assumption that people want strangers executing code on their machines.
Without context and purely based on technicality you are correct, yet in the frame of this conversation your comment doesn't make any sense.
Clearly there is a difference between a benign website and a site that hosts code that knowingly takes control of the user's computer (regardless of the programmer's intentions).
It the old times when all virus came with a paper explaining how they worked, somebody tried that (but, of course, I don't remember any names to google, sorry). The "good" virus took down the network as well as the bad one, and the procedure was classified as harmfull since then.
Nowadays we have some techiniques for restraining a virus, so that might work better... But then, we took the good parts of that virus and packaged on software that we deploy in a controled matter - we call that software anti-virus. There is no need to even test it anymore.
> and thus not be able to contribute to actually solving the virus problem
So I am expected to believe that the makers of anti virus programs have an interest in solving the virus problem, AND that they are actually capable of doing this, AND that they are the only way this can be done? Not buying it.
> Due to the inherent danger of this software, you may only work on these assignments in the designated lab room for the course.
> You will be required to sign a form stating that you have read and understood the lab protocols, and that you understand that misuse of the information in this course can result in civil and criminal penalties under the laws of Canada and of other countries.
Also, the link to the course's contents on John Aycock's page[2] says:
> (course access only, sorry)
So I guess they don't want to make the contents of the course public
The real horrifying part though is the fact that the people who want to solve the problem are being discouraged from doing so by the thread of blacklisting. On one level it's immoral, on another it's self destructive. More schools should be offering classes like this.