University course for virus-writing is irresponsible, says Sophos

May 23, 2003 Sophos Press Release

Dr. Aycock of the University of Calgary
Dr. John Aycock of the University of Calgary thinks teaching students how to write viruses is a good idea
Sophos has reacted with surprise and disappointment to the news that the University of Calgary in Canada is offering its students a course in malicious virus-writing.

The course, titled "Computer Viruses and Malware" which is due to commence in the autumn of this year, is described by university literature as focusing on "developing malicious software such as computer viruses, worms and Trojan horses that are known to wreak havoc to the tune of billions of dollars world-wide on an annual basis."

The course professor, Dr. John Aycock, is said to have convinced the University authorities to allow virus writing to be part of the course in the belief that it will lead to a greater understanding of how to stop viruses.

"Should we teach kids how to break into cars if they're interested in becoming a policeman one day? It is simply not necessary to write new viruses to understand how they work and how they can be prevented," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Sadly it seems the university is developing courses according to what it believes will be most attractive to potential students rather than focusing on skills that will be useful to them in the security industry. One wonders if the University will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users."

Sophos points out that none of the researchers working in its labs write malicious code, as there is no need to do this to achieve a better understanding of how to defeat viruses.

"On its website the University of Calgary has tried to draw a comparison with methods being used to try and combat SARS. But scientists don't actually create new biological viruses in order to find cures," continued Cluley. "Instead they do what we do - careful examination of new threats and a thorough understanding and analysis of the many threats which already exist. Creating new viruses is of no benefit at all, but could lead to greater danger."