Seems McAfee is holding a course this week on working with malware and how it works, where students will likely get hands-on learning in how to make a Trojan (or at least work with one) and do other things malware authors/users like to do. I first saw this from a post on Kurt Wismer’s blog.* In the post, Kurt goes over a few reasons why this course is a bad idea for McAfee.
I’m not sure I totally agree with him, but I don’t have any violent disagreements on this either. A few points I would bring up in defense of the course (yeah I’m marking the calendar as a day I actually gave a flimsy defense in favor of McAfee!).
1. The course is 4 hours and does have the attached cost of the Focus 09 conference on it. I’m not sure the course will have any newbie script kiddies in attendence looking to make their mark in the malware business.
2. Ok, the point of detractors to this course is not necessarily script kiddies, but possibly the newbie researchers getting their hands on these tools/skills the first time, and not fully understanding the risks of a rogue, not-contained piece of malware getting out of their home labs (or god help us their work environments if they experiment there!). Fair enough…but I think most virus-writers and even anti-virus writers probably had their start under worse conditions and less guidance.
I guess the point of 1 and 2 is that I’m not sure McAfee is introducing any new enablement with their course. If the labs/slides were made public, I would have more of an issue with it.
3. As defenders, we do need to stay abreast of these techniques. If learning how an attack can be done helps me be a better defender, I’m not sure I could argue against that. Well, not directly anyway. My point in going down this road is that maybe someone will write some malware and do Evil Things, but maybe someone may take this education and become the next senior engineer at Vendor X, or stop Evil Things in their own company. I don’t know, but I’d rather disseminate information if the Evil doesn’t outweigh…
I suppose one could pull in the analogy of bomb-making into this discussion. Is it ok to teach people how to make bombs? Perhaps not. Should anti-bomb engineers (yeah what they’re called right now is escaping my recollection) know how to make bombs? I think so.
4. Kurt has a great point that maybe McAfee, as an anti-malware company, shouldn’t be educating others on how to make more malware. I think this would be far more true if they were, say, teaching a room full of high school students. Less true here, although still a valid argument.
5. Kurt’s also correct in saying it doesn’t matter if McAfee is teaching these concepts using an already-existing toolkit or writing things from scratch. That really should have no bearing on the discussion.
In the end, I’m not holding fast to a Pro-course stance, but I would have some reasons to stay on the fence about this topic (agnostic if you will, while erring on the side of the course value).
* I like kurt’s posts/opinions most of the time. Even if I don’t agree with them, he states them clearly and with informed conviction that all people should exhibit.
One thought on “mcafee course teaches students how to create/use malware”
“I guess the point of 1 and 2 is that I’m not sure McAfee is introducing any new enablement with their course. If the labs/slides were made public, I would have more of an issue with it.”
it’s not always about enablement. sometimes it’s about endorsement. the fact that mcafee will be using an existing malware toolkit means that yes people could do this without mcafee’s help, but mcafee is contributing to the idea that it’s ok to ‘play’ with malware.
“As defenders, we do need to stay abreast of these techniques.”
in the general sense this is true, but when was the last time knowing how to create malware aided you in defending your systems and networks from that malware? the fact is it doesn’t. this kind of information is only useful if you’re building anti-malware tools and the people hired for that purpose get plenty of training.
there aren’t a lot of anti-malware tools out there that you can add your own information to, even if you were to learn something from creating new malware.
needing to stay abreast of attack techniques doesn’t mean needing to create new malware yourself. you don’t need to create your own DDoS tool to stay abreast of DDoS attack techniques.
Comments are closed.