November 02, 2006
AV Vendors need to crank it down about a million degrees
I came across an article today about John Aycock and his new spyware class at the University of Calgary. Dr. Aycock is of the opinion that students learn better how to protect against spyware by first understanding how spyware works - and what better way for students to understand how spyware works by actually learning how to build some? Now this isn't the first time this particular professor has espoused these particular beliefs (to great controversy) - specifically, this is the same professor that was criticized (mostly by the AV community) for offering a class that teaches students how to write viruses.
Now, put aside for the moment whether you think he's right or wrong - we'll get to that in a minute. For the time being, concentrate on the vendor response (consisting mostly of outrage and hyperbole.) McAfee likens the Calgary curriculum to torturing people ("It's like saying that in order to be a better doctor you have to learn how to torture people".) Sophos (always willing to give the benefit of the doubt) says it's more like carjacking rather than the Mengele-esque pain frenzy described by McAfee ("Should we teach kids how to break into cars if they're interested in becoming a policeman one day?") Anyway, the upshot is that AV firms have gone on record saying they will never, ever, hire students who have completed these classes: "Representatives from McAfee and Sophos Internet security companies have vowed never to hire his students." One wonders if they'll hire students that have failed the class or if you have to actually pass it to get blackballed...
Clearly the response of these AV firms is unfair to at least one group of people; namely, the students. Is it the responsibility of a high-school senior to vet the politics of their potential professors before applying to a University? Should it be? If a student changes majors, is it their responsibility to change schools if a professor's politics in their new program happens not to align with executives in industry? Where does a student go to consult the registry of professors whose classes make them unemployable in industry? Look - for the moment, put yourself in the shoes of one of these students: you're bright and you completed your degree in computer science with honors. Now, it doesn't really matter what your reason for choosing Calgary was - maybe you chose it for the excellent business school or maybe you got a scholarship (do Canadians need scholarships for school?) Anyway, no matter what the reason, Calgary was your pick. During your term, Dr. A's classes made you so interested in AV that you decide to pursue a career in it after graduation. But then comes the sticky part: you apply to AV vendor after AV vendor. Inexplicably, you're turned down at every firm. What's going on? You research it, and find out that you're blackballed; tough break... you can't untake the class so you can't get a job. Stick a fork in you.
So, the vendor response was hyperbolic and it was unfair to students. But these things would probably be acceptable if they're at least justified. So, are they? It seems to me that the crux of the AV vendors' argument is twofold: objection #1: these students are a threat and objection #2: the professor's lab might be unsafe. So are these things true? Let's break them down:
Objection #1: Calgary's AV training makes students too good and too dangerous (like Benicio Del Toro in "The Hunted"). Now, maybe I'm overly skeptical, but let me ask you to compare two scenarios to illustrate why I think Calgary's program is better than the alternative:
Scenario #1: a prospective AV employee goes to class with Dr. A and learns about malware ethics, malware countermeasures, and how malware works.
Scenario #2: a prospective AV employee spends their teen years reading electronic texts from underground groups such as the Ready Rangers Liberation Front or the Purgatory Virus Team. Maybe you reverse engineer a few viruses, maybe write a rootkit or two, maybe you write a virus toolkit or publish information on malware authorship.
Which option seems safer to you? Now, which one is more likely to get you blackballed by the industry? Apparently, the first one is unacceptable and the second one is accepted practice. How many of us in security got our start by reading less-than-reputable information sources on BBS systems or USENET (depending on your age I suppose.) Now call me cynical, but it seems to me like the Calgary program is more controlled, more conducive to learning, and probably safer because students get taught ethics while they're learning about malware.
Objection #2: The Calgary lab is potentially unsafe - some virus a student writes could leak out and spread across the Internet like something out of "The Stand." Bull. Now, I've beaten this drum in the past, but I don't think AV vendors are the last stop when it comes to dictating laboratory conditions to research teams. For example, I raised this point when AV vendors criticized consumer reports for doing their thing to test AV protection. Why is Sophos sufficiently versed in how to create a robust laboratory environment for malware research purposes but the University of Calgary isn't? Has Sophos studied the protection mechanisms that Dr. A has in place and published specific details on where they are lacking? No. Have they visited the lab to review the safety procedures? I doubt it. So why should it be accepted as a matter of course that they maintain a research lab, but somehow the University of Calgary doesn't have sufficient capability to do so? This argument is spurious. I've said it before, and I'll say it again: until somebody publishes some standards delineating acceptable practices for labs, nobody has the right to criticize. I don't buy it that vendors like Sophos, McAfee or Symantec are better equipped to maintain a lab than Universities; in other words, selling software does not give you a claim to special dispensation when it comes to doing research...
Posted by Ed at November 2, 2006 10:46 AM | TrackBackI like the comment in the article that takes a dig at the AV response about torture/doctors, "He said he has a duty to properly use his new skills, just as a chemistry student has a duty not to make pipe bombs."
Holy crap, chemistry students have the know-how to make things go boom! We must stop that! In fact, and I know because I've been there, but even first year chemistry courses give away enough information about creative things you can do with a few components.
I think one of the biggest problems with this attack from AV vendors is they're attacking graduate students. Now, if this were teaching high school kids how to create spyware and spam apps instead of wood shop, we might have a point. But come on, these are people who have put in the time and effort and money to be ahead in research. We can't force everyone to live in ignorance of everything potentially devastating and yet still expect advancement.
The AV vendors would be better off attacking guns. We have firearms classes and gun shows and gun shops that sell guns. Guns kill people. Therefore we better make sure we never see any more guns. Ever. Right?
Posted by: LonerVamp at November 2, 2006 03:51 PMLonerVamp,
Good point about the gun analogy; I hadn't thought to go in that direction, but you're totally right. AV vendors who say that malware is so dangerous that graduate students need to stop their research and that unbiased third parties like Consumer Reports need to stop their analysis are taking themselves WAY too seriously.
But what really tweaks me about this is the fact that vendors have a financially-motivated bias - that's not to say that AV companies can't have an opinion... But I really think we need to keep in mind that these companies are not in it as a public service. In other words, why are we looking to for-profit companies to dictate research ethics to the rest of the industry (and to academia no less?)
Do we look to Haliburton to set the ethical standard for diplomatic arbitration? Do we look to Phillip-Morris to dictate how research into the health effects of smoking is conducted? Not in this lifetime. Is it any different here; should AV companies be deciding what professors teach and how they do research? Bah.
Posted by: Ed at November 2, 2006 04:55 PMHere's my take: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/02/learn_to_write_.html
Posted by: Pete at November 2, 2006 08:15 PM