Sunday, June 17, 2007

and then hell froze over

anti-virus companies do not hire virus writers, if i've said it once i've said it a thousand times... oh sure, there was that one example where a company which wasn't even in the security industry (their main focus being graphics) hired benny (aka marek strihavka) to be the lead developer of their anti-virus software (which wasn't actually for public consumption at the time) because they felt he was reformed (even though he still makes viruses available on his webpage) and was then thoroughly denounced by multliple members of the av industry... then, of course, there's the case of sven jaschan who was hired by a security company - but again NOT an anti-virus company or even a company looking to make anti-virus software, so one could say that he doesn't count (especially since his hiring resulted in the company losing an av company it had hoped to partner with)...

it may seem like these violate the av companies don't hire virus writers rule but in reality these edge cases (neither company is technically an anti-virus company) actually reinforce the rule by virtue of what the av industry does in response...

so you can imagine, then, how far my jaw dropped when john sharp, founder of authentium, solicited applications from students who graduated from a virus writing curriculum:
Authentium to George Ledin's students: if you're interested in a job, we'll look at your resume. Based on your training, our assumption is that you're going to do a better job helping us detect and defeat malware than someone without this knowledge.


now, i realize one might argue that people who learned to write viruses in school don't have the same motives as those who write and release viruses (though it occurs to me that a virus writing curriculum would appeal to exactly the type of person who would write and release viruses so you may actually be dealing with a population whose bad apple content is higher than average) and the debate has been weighed in on by far more influential individuals than myself - but, with many companies refusing to hire such students just as they would virus writers, mr. sharp's words are unexpected to say the least... i wonder if he's shared his philosophy with helmuth freericks, who was listed as the vp of r&d at authentium when he signed the public letter against teaching virus writing that's being hosted by the anti-virus information exchange network...

things get more interesting than that, however... authentium's (formerly command software system's) command anti-virus used to license the f-prot scanning engine and given the identical naming produced by the two it seems like it still does... that engine is produced by frisk software international... frisk has made his feelings on the subject of virus writing curricula very clear, stating that it's ethically unacceptable, so it'll be interesting to see what if anything becomes of this if authentium really does hire students who've taken such courses...

0 comments: