Recently in The List of Dubious Research Category

Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. And Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers—they're students in a computer-security class at Sonoma State University. And their professor, George Ledin, has showed them how to penetrate even the best antivirus software.

http://www.newsweek.com/id/150465

Back in my university years, we had course dealing with the topic of Data Communications. Not unusual for my faculty, the lab part of the course included a couple of things which had nothing to do with communications. For instance, there was one homework which requested the students to write a boot virus. I went to the assistant and asked for another assignment, as writing viruses is not something I wanted to do. The assistant refused my proposal, refused discussing the subject (he was 'busy') and subsequently gave me 0 points for that particular homework.

Every now and then, in a teaching institution, somebody comes up with the brilliant idea of teaching students about malware. I am not joking here, it IS a brilliant idea. What is however wrong with it, in 99% of the cases, is that the people who come up with the idea have absolutely no clue about ethics or just don't care about it. They also do not understand that writing malware is not the best way to teach people about how to protect against it. Actually, writing malware is the easy way; it is much easier to write malware than writing antivirus programs. Of course, there is also a dark attraction towards writing malware and young people are easy to fall prey to it.

Back to my university years and to the boot virus writing homework, only a few people bothered doing it. Of them, most actually took the Michaelangelo (March6) sourcecode and shuffled it around. A few years later, I heard that homework was removed from the course's curriculum. Most of the people were just taking existing boot viruses and patching them. And it wasn't really a Data Communications assignment per-se.

There are many other more interesting things to teach about than writing viruses, sending spam and circumventing protection solutions. Yet, there will always be people willing to join the dark side, for one reason or another.

The bad thing is that their number seems to be increasing from year to year.

The List of Dubious Research - 3

A copy and paste from:

http://www.cryptovirology.com/

This chapter presents an experimental implementation of cryptoviral extortion, an attack that we devised and presented at the 1996 IEEE Symposium on Security & Privacy [16] and that was recently covered in Malicious Cryptography [17]. The design is based on Microsoft's Cryptographic API and the salient aspects of the implementation were presented at ISC '05 and in the International Journal of Information Security [14,15]. Cryptoviral extortion is a 2-party protocol between an attacker and a victim that is carried out by a cryptovirus, cryptoworm, or cryptotrojan. In a cryptoviral extortion attack the malware hybrid encrypts the plaintext of the victim using the public key of the attacker. The attacker extorts some form of payment from the victim in return for the plaintext that is held hostage.

GPCode was the first real world malware to implement a PK "cryptoviral" extortion attack. In 2006, we've been able to break the 660-bit RSA encryption employed by GPCode.ag. That was only possible because of several clever observations of our analysts, however, it is pretty obvious for anybody that a properly implemented attacks of this type would be impossible to defeat. As I write these lines, I wonder how much the research from www.cryptovirology.com influenced the person behind GPCode.

Another entry for the list. A so-called "security company" creates malware so they can better market their solutions:

Wilfried Hafner, CEO of SecurStar GmbH, has developed a Trojan horse, named "RexSpy", solely for demonstration purposes. The results are alarming.
...

SecurStar is offering the comprehensive security solution, PhoneCrypt, in addition to the Anti-Trojan tool (which is offered free of charge), to protect against all "electronic eavesdropping," be it via Trojan horse viruses or other professional eavesdropping tools, such as IMSI-Catcher.

[SecurStar GmbH's] team consists of renowned specialists and well-known experts from the IT business. Customers include [...] banks and financial service providers such as Citibank, as well as Scotland Yard and Ministries of Defense from different countries.

Thanks to Mady for sharing the link. Full story here.

PS: My colleague Roel Schouwenberg just started his own weblog. Cheers mate!

I'm starting a list with projects that have questionable ethics, which I decided to pompously call "The List of Dubious Research". Feel free to comment if you think these are kosher or if they 3v1l.

We will start with:

http://cs.ucsb.edu/~rsg/projects/smartphones/index.html

"Mobile phone viruses and worms are becoming more common and sophisticated. To better understand the threat posed by these class of malware, we developed a proof-of-concept mobile phone worm for the Symbian OS. Through the development of this proof-of-concept worm we gathered information about what is needed to develop a mobile phone worm, how mobile phone worms spread, and how targets are infected.

...

This research was supported by the Army Research Office, under agreement DAAD19-01-1-0484, and by the National Science Foundation, under grants CCR-0238492 and CCR-0524853."

Thanks to Roel for pointing this out to me.