A Canadian university has sparked controversy with plans to include instruction on spamming and spyware techniques in a forthcoming computer security course.
Due to start in the autumn, the new Spam and Spyware course at Calgary University’s Department of Computer Science will offer students direct instruction in the techniques used by commercial spammers to bombard a hapless public with their messaging wares.
The course has already attracted criticism from the security industry, concerned over the possible uses of such knowledge. Among elements on offer during the course are "assignments that involve implementing spamming and spyware techniques, and their countermeasures, under controlled conditions".
Obviously aware of likely concerns, the course prospectus stresses: "STRICT assignment protocols will be in effect; failure to adhere to these protocols will result in an "F" grade in the course." It also states that students "will be required to sign a form stating that you have read and understood the assignment protocols, and that you understand that misuse of the information in this course can result in civil and criminal penalties under the laws of Canada and of other countries."
The University also claims that ID checks will ensure all attendees are genuine students and not freelance spammers looking for inside tips. Classroom sessions, it has said, will be monitored by surveillance cameras, and electronic recording equipment will be banned.
It isn't the first time the university has been accused of questionable practices. In July 2003, the university was heavily criticised for instructing students on virus-writing techniques during another course. An employee for the-then Network Associates, Jimm Kuo, wrote in Virus Bulletin at the time: "What the advocates of this university course have not understood is why the AV industry simply cannot hire anyone labelled as a virus writer. The AV industry has forever been plagued by the comment, 'They write the viruses, don't they?' And as our business is based on trust, we cannot afford to give any credibility to that thought."
But much of the anger directed toward the university stems not from its intention to show students how spammers go about their business, but that it is doing so in a very public way. It is not inconceivable that would-be spammers will sign up to a course if they know for a fact that they will be taught the techniques they wish to learn. But the university naturally argues against the censorship of information just because of its possible misuse.
It also argues that defending against online threats requires an understanding of what techniques are used in the first place. While security companies argue it is in society's interests to restrict the availability of such information, it is also no doubt in their industry's own interests as well.