By Nicole Gaudiano
Gannett News Service
Nov. 1, 2006
College student Nathan Friess recently designed a computer spyware
program that could invade your computer, log your keystrokes and even
collect the password to your bank account.
"It did a good job of hiding itself," said Friess, 23. "It also made
itself relatively difficult to remove."
If you think his sinister-sounding creation got Friess into trouble,
think again. The spyware program was homework for the graduate student
at University of Calgary in Canada. And it earned him an A.
A hands-on computer security course at the school teaches students in a
secure lab how to write spyware and spam -- and how to defend against
It's the latest controversial class taught by John Aycock, a computer
science professor who inspired outrage and an online protest from more
than 100 industry experts when he introduced his computer virus-writing
course in 2003.
Aycock followed up with the "Spam and Spyware" class last year. He said
the class gives students "a solid base upon which to construct better
"Given that spam and spyware are frequently touted as major problems for
our computer-dependent society, universities should be lining up to
teach students about spam and spyware," he wrote in a July abstract on
Other computer security professors say Aycock's class is the only one
they know of that actually teaches students how to write spam and
spyware in a lab.
Professor Richard Fordteaches a detailed course on malicious code at
Florida Institute of Technology in Melbourne, Fla., and has walked his
students through an analysis of the "SQL Slammer" computer worm that
overwhelmed servers and slowed worldwide Internet traffic in 2003.
"However the emphasis is understanding how it works instead of, 'This is
how you do it,' " he said. "I don't think the students need to implement
the virus to understand the virus."
Aycock's critics question the security of his classroom lab and the
benefit of such teaching methods. Representatives from McAfee and Sophos
Internet security companies have vowed never to hire his students.
"It's kind of like saying, In order to be a better doctor you have to
learn how to torture people,' " said Joe Telafici, director of
operations at McAfee Avert Labs.
Aycock's students work in a laboratory with computers in padlocked cases
operating on an isolated network. Security is even tighter in the
virus-writing lab, with no electronics allowed in or out.
But Ron O'Brien, a senior security analyst at Sophos Inc., warned that
accidents can still happen.
"There is a concern that something created in the lab could escape into
the wild, whether it happens intentionally or unintentionally,"he said.
Aycock said he knows of no students who have misused what they learned.
Students must sign a legal agreement that they will abide by lab
protocol. They also write an essay about why they want to take the
course and get their photo identification checked at the door.
"These are our best students," Aycock said. "They're well-grounded in
law and ethics. I don't have any trouble sleeping at night."
Friess, who may pursue his doctorate or a cyber security job, calls the
criticism of Aycock's course "unfair." He said he has a duty to properly
use his new skills, just as a chemistry student has a duty not to make
Another of Aycock's graduates, Reg Sawilla, said the malicious software
he wrote in class helps him understand whether he's proposing effective
solutions on the job at a research and development agency of the
Canadian defense department.
"The people taking this course are not people who want to learn how to
do harm with it," said Sawilla, 33. "Their interest is in understanding
how these things work to further the research."
Visit the InfoSec News store!