These developers may look at past viruses to find out why they worked or why they didn’t work. They may use them as inspiration or examples of what not to do. But, they don’t rely on them as their only source of information. They are also explorers and hackers in the true sense of the word. They will dig and hunt for new flaws and vulnerabilities to exploit rather than simply relying on past virus-writing precedent.
We need for the good guys to think like the bad guys. We need the whitehat security gurus to proactively discover new attack vectors and new vulnerabilities and develop the vaccine before the virus is invented. Rather than waiting for the bad guys to make the first move we need the antivirus community to think one step ahead and try to plot out what the next move might be and block it.
There is a heated debate going on right now in the security community. The University of Calgary intends to offer a class this fall that will teach students about viruses and in which the students will actually learn to write their own viruses. The course will only be offered to 4th-year students and the lab environment will prohibit the taking out of any removable media and will not be connected to the external world at all to minimize the risk of an accidental virus release to almost zero.
Many in the antivirus and security administration world vehemently oppose the strategy of teaching virus creation in order to teach virus defense. AVIEN (Anti-Virus Information Exchange Network) and AVIEWS (Anti-Virus Information and Early Warning System) have issued a joint statement encouraging the University to teach students “subject matter relating to the prevention, protection, and cure, rather than how to attack and destroy.”
The University of Calgary Department of Computer Science web site has a statement about this controversy which says “It is time for critics to take their heads out of the sand and work with us to start developing the next generation of computer professional who will be proactive in stopping computer viruses. The current approach of reacting to the viruses is simply not working.”
The statement goes on to detail different security measures that will be in place to ensure that students act responsibly and that viruses developed in the lab will not accidentally escape and spread on the Internet at large. Any such infections would be contained to the lab environment.
Robert Vibert of AVIEN is quoted in an ITBusiness.ca article as saying “there’s nothing stopping them from learning how to do it and write a slightly different virus at home. This is giving them skills that they can apply without copying anything out of the labs.”
In that same ITBusiness.ca article Rob Slade, a Vancouver-based security expert says “learning how to write a virus doesn’t translate to the defensive side. As a matter of fact, concentrating on learning how to program malicious code is a waste of effort in learning how to defend systems.”