Why Attacking Systems Is a Good Idea

PUBLISHED BY THE IEEE COMPUTER SOCIETY 1540-7993/04/$20.00 © 2004 IEEE IEEE SECURITY & PRIVACY 17 for refusing to abandon a project that could be used to attack systems. Nine years later, every system administrator uses network scanning tools as a regular part of their job. The logic behind improving your network’s security posture by breaking into it is no longer questioned. (You can find Farmer and Venema’s classic paper, “Improving the Security of Your Site by Breaking Into It,” at http://nsi.org/Library/ Compsec/farmer.txt.) In an ironic twist of fate, administrators who don’t use tools like Satan on a regular basis now run the risk of being fired. Yet when University of Calgary professor John Aycock announced a course on malware in Fall 2003, many indignant security vendors (including Trend Micro and Sophos) lined up to criticize him. The vendors claim that teaching students to understand and create malicious code is a mistake— that no good could come of such a course. On the flip side, the justification for such a course lies in the idea that the motivations and mechanisms of malicious code must be understood in order to be properly combated. So who’s right? Should we talk about attacking systems? Should we teach people how real attacks work? Is ethical hacking an oxymoron? Those are the sorts of questions that motivate this special issue of IEEE Security & Privacy.