Leader: Why teach students malware techniques?

The arguments for and against teaching students the techniques of the malware community have kicked off again this week, at the Virus Bulletin conference, after a PhD candidate from the University of Calgary walked delegates through a technique for keeping attacks anonymous and undetected.

Andreas Hirt detailed methods for "covert propagation" and in doing so raised more than a few eyebrows around the auditorium.

Hirt's presentation and subsequent failure to clarify which elements of his techniques, if any, have been shared with the security industry drew accusations of irresponsible disclosure from the floor.

This isn't the first time the University of Calgary has drawn fire for controversial teachings in the disciplines of the malware community.

'Know your enemy' is the defence and the university reasonably says it is better equipping future generations of security professionals. So it's interesting that the security industry is so divided on the real value - above the kudos of a headline-grabbing syllabus - of courses on topics such as virus writing, spam and spyware.

The debate goes beyond the obvious and slightly tired arguments about what happens when one or two students go bad.

One security professional talking to silicon.com at Virus Bulletin said, "Everybody has their price", and students' services will typically come at less of a premium.

But the question here is whether there's enough value in such courses to make that negligible but very real risk worthwhile.

There are those in the security industry who argue against the courses on offer in Calgary on a practical, rather than emotive, knee-jerk level.

It is often said most students learn more in their first month 'on the job' than they did during their entire degree course.

Similarly with the rate at which the threat landscape and response techniques are currently evolving, some of the skills and techniques they learn on the course are going to have become obsolete before they serve any long-term professional value.

So the questions have to be: does this kind of course offer any real value? Not really. Does it create an added element of risk? Absolutely.