Why schools should teach virus writing

This is particularly apt for hackers and virus writers, whose activities are, I believe, born largely out of boredom, not malice. Their decidedly antisocial behavior aside, many virus writers and hackers begin as well-intentioned individuals with no outlet for their intense curiosity about computers and the Internet.

I'm not going to defend every hacker out there. Nor will I defend script kiddies, who generally have no programming skills whatsoever. I do, however, think that a fair number of exploits are the result of curious individuals testing their skills and seeing what they can get away with. Some youths commit hacks only as a rite of passage to distinguish themselves from the ranks of other self-taught programmers.

Like toddlers, hackers-in-the-making break things and make messes, but often there is no evil intent behind their actions. I believe, with a little effort, we can nudge these youths toward a more productive future.

What brought all this to mind was the recent news that the University of Calgary plans to offer a course on virus writing, with an eye toward virus prevention. Titled "Computer Viruses and Malware," the course will require students to write and test their own viruses on a closed network, to ensure that none of their creations spread beyond the classroom.

The announcement drew the ire of some in the security community, with many antivirus vendors saying they would not consider job applicants with such a credential on their resume.

It's unwise for vendors to make such pronouncements. Simply put, current antivirus technology is not keeping up with virus trends. Using virus signature files worked fine in the pre-Internet 1980s, but it isn't all that effective against rapidly spreading polymorphic viruses, such as Bugbear.b, and is totally ineffective against memory-only worms, such as Code Red. We need a paradigm shift in antivirus technology, and soon.

The Calgary course could produce fresh thinking about viruses and, ultimately, better virus prevention. Let's face it, young people have a lot to offer when it comes to computing. Self-taught fifteen-year-olds could offer a different perspective on the Internet than the one held by those of us who learned formal computing skills in our twenties and thirties. And if kids are going to experiment anyway (which you know they are), providing a safe forum for their activities makes sense.

Another program in rural Maine allows high school students who are performing poorly in academic subjects but have an aptitude for computers to hack test systems in a controlled environment. As reported in the New York Times, the intent of the Maine program is to foster an awareness of computer security as a career choice, and perhaps to turn some of these students into Maine-based computer security specialists. I applaud these and other efforts to help kids realize that their computer skills have marketable value.

I'm the first to admit that some hackers and virus writers are criminals who act with malicious intent. But those who aren't, those who are simply antisocial misfits looking for a way to express themselves, represent a wealth of untapped talent and potential.

If we foster safe environments for these would-be hackers to learn in, the entire computer industry could benefit. It's time for the security community to become more proactive--and perhaps learn how to stop viruses from ever being written.

Robert Vamosi is senior associate editor with CNET/ZDNet Reviews.