========================================================================= Date: Tue, 15 Nov 88 08:35:45 EST Reply-To: VIRUS-L@Spot Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #8 VIRUS-L Digest Tuesday, 15 Nov 1988 Volume 1 : Issue 8 Today's Topics: Hi and Questions (request for virus info) Bad versions of FLUSHOT (for IBM PC) general virus query --------------------------------------------------------------------------- Date: Mon, 14 Nov 88 15:20 EST From: Darren Richer Subject: Hi and Questions (request for virus info) Hello Everybody! With the VAST and GREAT knowledge out there... (I know you're thinking "Now what does this guy want?" so I'll save the praise and glory.) I am looking for information on viruses (What else?). In particular, known origins (IE/ What was the first virus?), popular methods of attack, names of people who are experts in the field, books on the subject, respected articles, etc. Any help you lend will be greatly appreciated. (I am looking through the archives of this list at present and have been querying various listservers but this is getting on my nerves!) Thanks in advance. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Darren Richer BitNet: DARREN@LAUCOSC c/o Laurentian University BellNet: (705) 692-4048 Sudbury Ont. Canada SnailMail: BOX 1006, Lively, Ont. POM 2EO ------------------------------ Date: MON NOV 14, 1988 17.21.35 EST From: "David A. Bader" Subject: Bad versions of FLUSHOT (for IBM PC) FLUSHOT4 was a hacked version of FLUSHOT3 and a trojan horse. Ross Greenberg, the author of the FluShot series, then switched names to FluShot Plus (FSP+) to avoid confusion from the old, corrupt versions. Also, Ross has released versions 1.1 1.2 and 1.4 of FSP+ (he skipped version 1.3 out of superstition :-) ). I would suggest that you do not use any other version than the most current release (version 1.4), since there are numerous bugs in the previous releases. -David Bader DAB3@LEHIGH ------------------------------ Date: Mon, 14 Nov 88 17:13 EST From: David Larsen <11DLARSEN@gallua.bitnet> Subject: general virus query I am very curious about this VIRUS DISCUSSION LIST... I was wondering how do I know if the virus entered into my computer program. Is there a way to explain how to find how it show up on the computer? I really don't understand much about the virus. Can you send some information about the virus that can cause the computer crashed or etc? I would like to read that information. You may send the information to my computer at this station : in%"11dlarsen@Gallua.bitnet" THANK YOU..... 11dlarsen ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Tue, 15 Nov 88 18:42:19 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #9 VIRUS-L Digest Tuesday, 15 Nov 1988 Volume 1 : Issue 9 Today's Topics: Worms and Censorship (from ETHICS-L list) Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS) Security@Aim.Rutgers.Edu -- has anyone seen it? Request for general virus information FBI request for Internet Worm info Re: Virus writers Nightline report on computer (Internet) worm Comments on "Computer Viruses" book --------------------------------------------------------------------------- Date: Fri, 11 Nov 88 16:38:00 EDT From: "Peter D. Junger" Subject: Worms and Censorship (from ETHICS-L list) On the off-chance that nobody else forwarded this message to virus-l, and knowing that the list is now moderated, here is: - ----------------------------Original message---------------------------- I am surprised that I have, as yet, seen no discussion on this list (or Virus-L or Risks) of the issues raised by an article which appears in today's (11/11) National Edition of The New York Times on page 12 under the byline of John Narkoff and headlined: U.S. Is Moving to Restrict Access To Facts About Computer Virus." I shall type in the first two paragraphs, and trust that you will forgive my typos. "Government officails are moving to bar wider dissemination of information on techniques used in a rogue software program that jammed more than 6,000 computers in a nationwide computer network last week. "Their action comes amid bitter debate among computer scientists over whether the Government should permit widespread publication of details about how disruptive programs work and about flaws in computer networks that can be exploited. Some oppose restrictions, while others argue that such details should be treated as highly sensitive information." The fourth, and key, paragraph reads as follows: "Yesterday, officials of the National Computer Security Center, a division of the National Security Agency, contacted researchers at Purdue University in West Lafayette, Ind., and asked them to remove information from campus computers describing the internal workings of the software program that jammed computers around the nation on Nov. 3." How many members of this list have been visited by the censors? How many have purged their-or public-files at the request of the government? How many have told the spooks to go fly a kite? Peter D. Junger JUNGER@CWRU ------------------------------ Date: 15 November 1988, 12:28:19 GMT From: Ahmet Koltuksuz (51)275858 BILSER3 at TREARN Subject: Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS) hi there i am collecting all the available info on christmas exec trojan horse which infected ibm mainframes couple of years ago...all info and/or source address which an info may be got welcome...... thanks to all in advance. ahmet koltuksuz grad.student of computer sci. specializing in comp. security e mail ====== bilser3 at trearn ------------------------------ Date: Mon, 14 Nov 88 23:16:30 est From: shafferj@amethyst.bucknell.edu Subject: Security@Aim.Rutgers.Edu -- has anyone seen it? Has anyone received any messages from Security@Aim.Rutgers.Edu or its Bitnet redistributions since about the beginning of 1988? I haven't, and I'd love to see what they had to say about the Sendmail virus. Of course there'd be reprints from RISKS and probably Virus-L :-), but they would probably have a lot of stuff we haven't seen here. But they don't seem to exist, as far as I can see. [Ed. I'm also on that list, and can't remember the last time that I saw any output from it.] Also, has the virus generated any talk on Info-VAX? I don't read it because it's too unreliable and creates too much traffic, but I would hope that someone there is discussing the problem with Ultrix. (Though every time there was a VMS security hole discovered, half the net was flaming the other half to the effect that it shouldn't be talked about because the wrong people might hear about it! I've got news for them, the wrong people already have heard before anybody on that list...) Don't reply to the list unless you come up with an interesting cross-post. Just mail me here at shafferj@amethyst.bucknell.edu. Thanks, Jim ------------------------------ Date: Tue, 15 Nov 1988 09:09 EST From: [Ed. Sorry, this is all the header info I got.] Subject: Request for general virus information Date: 15 Nov 88 Since some of the users of this discussion list had mentioned that were working on manuals and/or presentations concerning computer security in the academic world, I am passing on to you a request from a BITNET user. Liisa Rautianen, a Finnish university sudent, is preparing a thesis on computer security. While I have provided some materials about computer security, they have been from a business world viewpoint. She is looking for additional information and points specific to the academic world. If anyone can help her, please contact me or Liisa at (TKOP-LR@FINOU.BITNET). Thank you. ------------------------------ Date: Tue, 15 Nov 1988 9:39:27 EST From: Ken van Wyk Subject: FBI request for Internet Worm info This was found recently in Usenet newsgroup comp.protocols.tcp-ip: From: TomZ@DDN1.ARPA Newsgroups: comp.protocols.tcp-ip Subject: FBI Contact re: November Internet Virus Date: 14 Nov 88 05:03:00 GMT Were YOU hit by the November Internet Virus? The FBI wants to hear from you! The Federal Bureau of Investigation is attempting to gather critical information necessary to pursue this case under the Computer Fraud and Abuse Act of 1986. (This is the statute that makes it a federal crime to penetrate a computer owned by or run on the behalf of the Government.) The FBI Case Agent has asked the Defense Data Network Project Management Office to collect the names of organizations and Points of Contact (names and phone numbers) that were hit by the Virus. The Defense Communications Agency has established an E-Mail address for this collection at: INFO-VACC [at] BEAST.DDN.MIL Points of Contact should expect to be contacted by their local FBI agents for dispositions due to the wide geographical area involved. I * M * P * O * R * T * A * N * T The FBI needs this information to pursue the case. If we expect their aid in the future, we need to help them now. PLEASE GIVE THIS MESSAGE MAXIMUM DISTRIBUTION; NOT EVERYONE IS ON "TCP-IP"! /s/ Tom Zmudzinski DDN Security Officer (703) 285-5206 ------------------------------ Date: Tue, 15 Nov 88 07:58 EST From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virus writers In-Reply-To: Message of 14 Nov 88 11:24 EST from "Ed Nilges" >I'd like to begin a dialogue about virus threats to VM/CMS. Be careful what you ask for; you might get it. >.......... and Object Code Only creates alienated and ignorant >systems installers. Arguable at best, argumentative at worst, not likely to lead to a very productive discussion. >These two technical holes are said to be closed in release 5, but there >is discussion of more and better facilities on VM for remote execution. >This discussion should take the MOrris virus into account. IBM has done an outstanding job of plugging the special exposures in RSCS. They have done it on a timely basis. They have employed the safe defaults, even when these were disruptive to existing applications or not "user friendly." Nonetheless, Ed is correct. As demonstrated by the Christmas Card, VM systems and nets are very vulnerable. The vulnerability arises more from the style of use than from product characteristics, but the design does contribute somewhat. The Christmas Card simply duped users; it did not exploit any special vulnerabilities. The only way to have protected against the CC would have been to so restrict function as to do away with the system. This is to say, users and style of use will always be the biggest exposures in VM. The feature that concerns me the most is that executables and other data objects share the same name space. Most loaders and interpreters in VM expect filetypes such as EXEC, MODULE, MACRO and PROFILE. This is a short list. However, this is a convention only; there is no hard and fast separation between procedures and data. As Ed's posting suggests, there are a number of remote execution facilities implemented under VM. Indeed, any user can leave his virtual machine running, in disconnected mode, and with a remote execution facility running. He can write such a facility himself, or he can get it from somewhere else. However, remote execution facilities are not exposures in and of themselves. Sendmail was an exposure because it was widely used. A single instance would not have been an exposure; neither would have been a collection of disimilar facilities. [I have been, in what seems the distant past, employed by IBM.] William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Tue, 15 Nov 88 09:46 EST From: Dana Kiehl Subject: Nightline report on computer (Internet) worm I watched the "Nightline" report on the computer worm last Thursday the 10th. The taped report on the worm was done very well and I got the impression that even those who don't know much about computers could easily understand it. However, the live interview with the computer experts (including Wozniak(sp?)) was in my opinion, completely worthless. The two men argued back and forth about whether a bank's computer could be hit with a virus (among other things) and I myself was never satisfied with anybody's answer. I don't think even Koppel was enlightened at all. If anybody watched it to understand about the worm or potential future virus invasions, they came away even more confused, myself included. [Ed. I saw it too, (Thanks for the tape, David!) and I agree; it didn't say much. There seemed to have been just too much to cover in too short a time to too limited an audience.] ------------------------------ Date: Tue, 15 Nov 1988 11:29:39 EST From: Ken van Wyk Subject: Comments on "Computer Viruses" book I skimmed over the book "Computer Viruses" by Ralph Roberts (Compute! Books Publications, Copyright 1988, list price $14.95) last night, and it seemed to be a pretty fair layman's description of the past year's viruses, particularly microcomputer viruses (PC, Mac, and Amiga). It seemed to be written along the lines of most computer books; relatively short (167 pages), easily readable, and concise, but without covering too much information. It also includes a review of a whole slew of anti-virus products that's worth looking at (it covers software for PCs, Macs, and Amigas). Don't expect the world, but it's not a bad overview, in my opinion. Ken ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Wed, 16 Nov 88 08:36:52 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #10 VIRUS-L Digest Wednesday, 16 Nov 1988 Volume 1 : Issue 10 Today's Topics: Cryptoviruses Viruses in VM/CMS Re: Security@Aim.Rutgers.Edu -- has anyone seen it? hiring virus writers and evil hackers ramifications Viruses in Military Computers --------------------------------------------------------------------------- Date: Tue, 15 Nov 88 19:22 EST From: Lynn R Grant Subject: Cryptoviruses There are several crypto packages on the market that implement the DES algorithm on PCs. A couple that come to mind are "Codename: Password" and I believe Sidekick (I may have the name wrong). I have been thinking (and worrying) lately about how a virus could exploit these packages to make itself very painful to remove. Here is how it would work: The virus would go along, propagating itself in the normal way, but it would recognize when it had attached itself to the crypto program. It would then modify the encryption tables slightly in a reversable way, so that encrypted things could be decrypted (in DES, the IP and IP-1 tables would probably be the most appropriate targets). It would then have to know if files were encrypted the old (good) or new (bad) way. If there is some kind of a crypto header in the file, it could stuff the information in an unused bit; or maybe it could do it based on date. Anyway, if you decrypted an old file, it would work fine, and if you encrypted a new file then decrypted it, it would work fine. But suppose you discovered the virus, and re-installed all your software to ensure that your system was clean. Suddenly all the files you had encrypted after the initial attack of the virus would be garbage. If you put back the virus-laden version of the crypto package, you could get at your files, but the virus could continue to spread. Of course, on a system where gurus were available, it would be possible to compare the infected and uninfected versions of the crypto package, disassemble the changes, and come up with the necessary zaps to make a crypto package that would decrypt the damaged files without propagating the virus. A system with only non-technoid users would not have this option. (And if the virus chose its modifications to the crypto tables randomly when it first infected the crypto package, it would make it hard for a central support organization, or the VIRUS-L forum, or whatever, to provide all the crypto users with patches to decrypt the damaged files.) I must admit that most of my experience with computers and DES has been on large mainframes (IBM MVS and VM), so I may have overlooked something that would make this attack less of a concern, but if I have, I don't see it. (I guess that's what overlooking's all about.) Lynn Grant Technical Consultant Computer Associates International, Inc. Disclaimer: These are my opinions, not those of my employer. ------------------------------ Date: 16 November 1988, 01:00:06 ECT From: Stig Hemmer HEMMER at NORUNIT Subject: Viruses in VM/CMS This discussion started in ETHICS-L, but I think it should be continued in VIRUS-L. Somebody mentioned the Christmas Card 'virus'. I would just like to mention the really BIG security hole in VM/CMS. The CCv did not use this hole, but if it had it would have been MUCH worse. VM/CMS has a 'feature' that when a program returns to toplevel anything left on the program stack will be parsed as commands. Pretty useful sometimes but it makes possible some hideous bugs and security holes. RECEIVE EXEC has such a bug, if a spoolfile is of incorrect format RECEIVE may leave part of it on the stack upon exit. SENDFILE or NOTE will never make such a file of course, but more low level commands make it possible. I don't know any more details (and wouldn't publish them anyway), but the cure is simple: Insert a MAKEBUF in the start and a DROFBUF in the end(s) of RECEIVE. (Be careful though not to change the effekt of the STack option.) Everybody should use M/D in their programs as it makes them infinitely more robust. -Tortoise PS: DISCARD uses RECEIVE but I think (and hope!) that it is more robust. ------------------------------ Date: Tue, 15 Nov 88 21:16:19 EST From: msmith@topaz.rutgers.edu (Mark Robert Smith) In-Reply-To: "shafferj@amethyst.bucknell.edu"'s message of Mon, 14 Nov 88 23:16:30 est Subject: Re: Security@Aim.Rutgers.Edu -- has anyone seen it? Hobbit, who moderates that list, has been busy working on the big move from the vax AIM.RUTGERS.EDU to a Sun PYRITE.RUTGERS.EDU, which is now aliased to AIM. He says that the list will re-awaken when he gets done with the move. Mark - ---- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604; P.O. Box 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903-5063 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu R.I.P. Individual Freedoms - 11/8/88 [Ed. Thanks for the update!] ------------------------------ Date: Tue, 15 Nov 88 15:17:10 EST From: Jefferson Ogata (me!) Subject: hiring virus writers and evil hackers Not all evil hackers are meet for hiring. Morris at any rate would not be a prime candidate, despite his successful attack, because the attack mode was not the result of his own research, nor was his code particularly excellent. Apparently the debug hole was revealed to him by other sources, so there is no evidence he is a wonderfully clever hacker. Burleson also is not a candidate; he simply planted an evil program in his former employer's computers. Once again, no evidence of extreme cleverness. Evil hackers can be hired by major companies if the following two constraints are met: the hacker has, through his own initiative and intellect, explored security holes or bugs that were not widely known; the hacker himself has not become famous. The first constraint simply means that there is no practical reason for a company to take any risk with someone who ain't that smart. The second constraint is very important, and is the reason why you won't see publicly known hackers getting great security jobs. Ignoring this constraint would promote the image that anyone could get a great job by being an evil hacker. There is apparently enough incentive for this kind of behavior already; if employers increased the incentive, they would merely be complicating their own hiring process. One other reason why Morris hasn't got a chance at getting hired is that the media has portrayed him essentially as a wimp. Everything they've described about him implies that he's a man with no balls. Real evil hackers have got to have balls. I wish people would stop trying to inject morality and ethics into the question of whether hackers should get good jobs. The question is not 'should'; it is 'will', and morality has nothing to do with it; it's called economics. Part of being a successful business is knowing when to take a risk. Ethics are only an issue when the public finds out about it. - - Jeff Ogata ------------------------------ Date: Tue, 15 Nov 88 18:39:14 EST From: "Homer W. Smith" Subject: ramifications With all due respect, Mr Doug Hunt could not be more wrong. Those of us who have some small access to memories of our past lives have learned that people do to others what was done to them. People who fervently believe that criminals should be executed were criminals themselves in a past life and were executed. In this life they are self righteous upstanding citizens who have 'never lived before and would NEVER have done such a thing.' When we incarcerate people or ruin their lives for 'crimes against the empire' we punish them and satisfy our hurts by doing so, and maybe we scare those who would follow in their footsteps, but we always fail to extract the amends from such people that they owe us and must give in order to be rehabilitated. I would be proud to have Mr. Morris as a security expert for our nation as long as the proper amends is allowed to take its course. Amends does not mean I break your toy because you broke my toy. Two broken toys is two broken toys. Then we BOTH owe amends to society. The road to hell is NOT paved with good intentions. That is just Christian/Creationist double junk and they know it. THESE people who rant and rave in such a way are a FAR GREATER danger to our national security than Mr. Morris. They are just jealous as hell that Mr. Morris is brighter than they are and could undermine their computer defenses while scribbling on napkins over morning coffee. God does not approve of a society that produces criminals or can not handle them once they produce themselves. God can handle them. Why can not we? Have we bought the line that some people SHOULD not be handled? Or that some people CAN NOT be handled? Or that God does not WANT us to handle them? Rutremish. Especially for someone like Morris who is clearly very far from the pit. Probably farther from the pit than the American Government themselves in their dealings with the world at large. Why punish when you can salvage? Surely Morris is salvagable. (Don't tell me I am a bleeding heart Liberal. I voted for Bush. If you want to worry about viruses, worry about HIM.) Morris needs to make amends. Not by having his toys broken because he broke ours, but by what ever means necessary so that we can feel resolved about the matter and in some sense be glad it happened with no lingering resentments or bitterness, and most importantly in a way that society can feel safe trusting Morris with the run of the land again. [Ed. Any (hypothetical, of course) suggestions?] Placing Morris in jail or ruining his career may satisfy the stone cold hearts of some but it wont make a better land for any of us. The Eternal NAME is not SHAME. Homer Wilson Smith Hubbard Fractal Research Laboratory Cornell National Supercomputer Facility ------------------------------ Date: Tue, 15 Nov 1988 15:30:05 EST From: Gabriel Basco Subject: Viruses in Military Computers I was wondering. There might be a possiblity there is a bug in one of the fire-control programs that might just start working when a real threat appears. Is it possible and can be done against it? [Ed. I would think that's what they do drills for. In a (properly planned) drill, the computer (or other controlling agent) would truly believe that it is the real thing. Comments?] ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Wed, 16 Nov 88 16:01:39 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #11 VIRUS-L Digest Wednesday, 16 Nov 1988 Volume 1 : Issue 11 Today's Topics: Ye Compleat Vyrusse Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS) Re: 1-Header problems, 2-Nightline broadcast, 3-Computer Virus Book Working with the press Re: 1) "Great hackers...." 2) Viruses in military computers --------------------------------------------------------------------------- Date: Wed, 16 Nov 88 09:34:45 EST From: Sean T Montgomery Subject: Ye Compleat Vyrusse I'm only a recent subscriber, so please bear with me if this has been discussed into the ground. I would be interested in receiving as complete a list as possible of microcomputer (preferably Macintosh) "anti-viral" programs, and/or a list of servers or persons who have these programs available thru E-mail. I would like to have a copy for my own sake, and also for sending to people who show up on one net or another saying "Help!!! I've got a virus!!! What do I do!!!" Case in point: nVIR can be removed a number of ways, some simpler than others (the KillVirus INIT seems to beat everything else). I'd like to find out what other virus killers/protectors are best for other situations. Thanks. ------------------------------ Date: 16 November 1988, 10:05:17 EST From: David M. Chess CHESS at YKTVMV Subject: Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS) How time flies! *8) It was actually last December (around Christmas time, for some reason). There is pretty extensive discussion in RISKS DIGEST around that time. No need to restate it all here, I suspect? DC ------------------------------ From: J. D. Abolins Date: 16 Nov 88 Subject: Re: 1-Header problems, 2-Nightline broadcast, 3-Computer Virus Book 1) I was the one who has passed on the computer security info request Liisa R. Before this list was digested, my messages would get a header somewhere along the line, now they don't. So I'll remember to enter manual "headers". [Ed. Sorry for the confusion there. I don't know why your mailer didn't send out a proper header...] 2) I also saw the ABC TV NIGHTLINE broadcast. I am formulating a letter with comments to send to Mr. Kopple, Fred Cohen, Steve Wozniak, and Mr. Sherezin. The comments are basically- A. Thanks for the broadcast and its coverage of computer viruses B. Comments in an attempt to wade through the cross-communications that ensued. C. An outline of issues related/for computer viruses. While it will most likely have little impact, it's worth a try. I keep in mind that the interviewees faced several challenges that I and other viewers don't have- a late hour interview (for Fred Cohen and Mr. Sherezin), interview via separate satelite hookups, and the time constraints of a live TV interview. For those who didn't see the program, let me describe the debate or cross-communications that occured. Ted Koppel, the interviewer, asked the interviewees about the risks of computer viruses. Unfortunately, Mr. Koppel's question used the scenario of a "hacker" using a virus in a bank's computer system to extract money from other people's accounts and place into his/her own account. Steve Wozniak, a long-time advocate of free-wheeling computer creativity, protested that the risk was practically non-existant, that computer fund theft cases have almost always been comitted by insiders, and that banks have extensive security and auditing sageguards. Fred Cohen countered Steve Wozniak's claims by emphasizing that the safeguards are not 100% effective and that computer viruses pose a real threat. After several volleys between the two men along these lines of thought, Fred Cohen claimed that Steve Wozniak was making his claims of low risks because he has an affinity for the "hackers" and their mindset. Knowing Fred Cohen's work, at least in part, I understood what he was driving at. But many viewers may have gotten lost in the debate between Fred Cohen and Steve Wozniak. As said before, the risks of computer viruses was presented wrapped in a poor scenario. Also the terminology could have been better defined by ABC TV. The term computer virus was defined much too broadly. Also, the term "hacker" has too many connotations for safe use, especially with the diverse backgrounds of the interviewees. (This is a lesson I am keeping in mind for my articles.) To some, like Mr. Wozniak, "hacker" means a creative, inquisitive programmer who MAY be mischevious and wanton. To others, a "hacker" is DEFINITELY a programmer who engages in illicit and illegal activities. (Also remember that Apple Computers, co-founded by Mr. Wozniak, thrived on the "hackers" of Mr. Wozniak's definition.) With the bank fund transfer scenario, one of its problems is that it is not a typical form of virus impact or design goal. Mr. Wozniak was right about bank computer fraud; it has been done with at least the help of insiders and the programs were not viruses. THey may be Trojans, worms, or simply modifications to exisitng software (as in the "salami slicing" technique.)Someone during the broadcast alluded to the "Fort Worth, TX" case (the Burleson case) as an example of a virus used for banking computer fraud. Quite inaccurate, but understanble statement since the definitions were not pinned down. (Plus,I am lot more finicky about the definitions than most people who report the computer cases to the public. It seems that the reporters and even the computer specialists will lump other harmful programs with viruses. Perhaps, it is done so not to "confuse the viewers/readers with too many terms"; plus the term virus is very catchy.) The more common forms of virus damage and design goals include general disruption of systems, subtle tampering that may reduce the percieved trustworthiness of computer systems,economic dissipation, and electronic flagging of one's "accomplishment" (as wanton as it is.) With what I've said, I want to emphasize that I am not flaming Ted Koppel either. He admitted in the broadcast that he is not at all familar with computers. Mostly likely, he got a ten or fifteen minute briefing before the show. 3) I've started reading the COMPUTER VIRUS book (from COMPUTE! Book Publications, copyright 1988, price about $16 US.) It seems to be a good general introduction to the subject writen for average computerist. It covers MS-DOS, Mac, Amiga, and, to some degree, Atari ST computer viruses. Case histories are given. (The Hebrew University case was adequated treated without the sensationalism of some other accounts.)A sensible list of preventative measures are given. (I can recognize some of Pam Kane's contributions here.) Plus an overview of anti-virual software. The only "minus" comment is the cover artwork. This is a matter of differences in taste. So don't judge the book by its cover. (Nor a posting by its length. (: -) ------------------------------ Date: Wed, 16 Nov 88 12:16:52 CDT From: Len Levine Subject: Working with the press With respect to the Nightline interview, I would like to say this. I have been interviewed by the press several times in the past and during this episode I was interviewed for many hours by several local reporters. I worked for two hours with each of two Television reporters with cameras on for all of that time. What resulted was a one sentence live shot taken from a two hour interval on each station. Some of my comments were used by the reporter and, as luck would have it, were taken correctly and in context. The sessions went well. Two days later, I was on the phone for an afternoon with a reporter from the Sunday Milwaukee Journal. The result was about 1/4 page with my interview handled well. Finally, a few days later, quite an expert now, I was interviewed live on the radio (local talk show) for 20 minutes with a commercial break in the middle. People who saw the shows and read the paper said that I was treated fairly and that the reports came off well. Some advice: 1. Spend a good deal of time with the press. If you have not done so before, teach them all about the issues, they want to learn and, professionally, pick things up quickly. If you are off the air, get them to explain back to you what they heard and correct them if they get it wrong. 2. News reporters are alarmist by nature. DOWNPLAY the news. They will pick up the most provocative remark you make. Find a way of discussing what you have to say in a quiet, amusing fashion, they will use that. Be careful and say nothing on camera that is wrong, even when taken out of context. (Very hard to do.) 3. Spell your name to them. Spell out the jargon words and explain them. Clarity is next to godliness. Just some advise from a TV star. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ From: J. D. Abolins Date: 16 Nov 88 Subject: Re: 1) "Great hackers...." 2) Viruses in military computers 1) A recent message included the statement "Great hackers go to have balls." Hmmm.... does that limit "hacking" to males or do hackers purchase golf balls, basketballs, footballs, etc. from a sporting goods shop? On the serious side, there wase an article posted few months ago comparing the "tracker" against the "intruder". It pointed out that there are many character differences between the two. That article made many good points. Also, I recollect a comment by Don Parker against the hiring of "hackers" (the illicit/illegal variety) in the computer security field. The publicized hiring of "intruders" would give the message that "one good break-inis worth a thousand resumes in the mail."for job-seeking computerists. Of course, there are companies and other potential employers who have a very different set of scruples or none at all. "He's brilliant! He's a genius! And he will stop at nothing to get his goals! Perfect for the job!" As Charles Colson og Watergate fame expressed, he would have run over his mother with an automobile for the sake of Richard Nixon. 2) Military computer virus threat: There have been several studies of the potential hazards of viruses for military computers. I have no special access to the results, so I am speaking from conjecture and a mosaic of informtion. It must be remembered that many military computer systems, especially th e tatical combat types, are not the everyday PC's and Mac's. Many are drastical different in hardware and software from the multi-functional civilian systems including the ones used for military administrative tasks- word processing, quartermaster inventories, etc. They are not linked to each other in the conventional sense, so a virus would not spread easily. So systems may use radio linking for various functions, but the links are nowhere as wide open as that of civilian links. The introduction of a virus into a tactical system would require either an insider or the infection of the systems used to make or maintain the tactical system. The way the military tactical computers interpret files would in many cases require a virus designed specifically for them. Drills may spot virus caused damage in some cases, should it happen. Unless designed specificlally otherwise, I guess most viruses that get into a tactical combat system would either do nothing or cause a system crash. Usually, it should not fire off anything, unless the system was a restraining system designed to fire in case of failure. I have focused on tactical systems, such as the one used for artillery solutions, the naval combat systems such as the ones made by Elbit, the computers used for aircraft weapons systems and EW ( which are very specialized processors and not full functionality computers), etc. The situation with strategic systems is another story. They are are likely to use full-functionaility systems, including ones of common make. Using common types of computers increases the virus risk because accidental infection from the general computing community is more likely. A variation of the virus hazard.... the scenarios revolve around a virus affecting a military fire-control system so that it launches. Yet a more likely virus impact can occur before the weapons system makes it to production. Imagine if the CAD/CAM or CASE tools of a goverment contractor were affected, especially with a subtle acting code that skewed values ramdonly or specifically. The results can range from delays and cost overruns to failure in the field. Another variation, based on the action of many known viruses, the virus (or Trojan code) catastrophically damages the programs used by a military computer. Possible results, an artilery battery is suddenly unable to obtain solutions via computer, a forward-sweep wing fighter loses control, etc. But these are would have to custom designed programs and are notlikely to occur. ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Thu, 17 Nov 88 08:33:54 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #12 VIRUS-L Digest Thursday, 17 Nov 1988 Volume 1 : Issue 12 Today's Topics: Re: [STMONTG@PUCC: Ye Compleat Vyrusse] Domesticating "evil" hackers. Re: Military Systems Re: FluShot+ versions --------------------------------------------------------------------------- Date: Wed, 16 Nov 88 11:00:17 EST From: Joe McMahon Subject: Re: [STMONTG@PUCC: Ye Compleat Vyrusse] >From: Sean T Montgomery >Subject: Ye Compleat Vyrusse >I'm only a recent subscriber, so please bear with me if this has been >discussed into the ground. I would be interested in receiving as >complete a list as possible of microcomputer (preferably Macintosh) >"anti-viral" programs, and/or a list of servers or persons who have >these programs available thru E-mail. I would like to have a copy for >my own sake, and also for sending to people who show up on one net or >another saying "Help!!! I've got a virus!!! What do I do!!!" Case in >point: nVIR can be removed a number of ways, some simpler than others >(the KillVirus INIT seems to beat everything else). I'd like to find >out what other virus killers/protectors are best for other situations. Sean, I've compiled such a list as a HyperCard stack. I have been planning to convert it into an article for Computers and Security, but... Anyway, the stack lists all of the software which I've been able to get hold of for evaluation. It does NOT include KillVirus, because I haven't been able to get a copy so far. It does, however, give a short review of each program (along with a longer one, if you want it) and a description of the viruses I've been able to confirm so far. It includes hand-removal instructions for each of the viruses, along with my recommendations based on the software I've seen. The software itself is available from LISTSERV at SCFVM. You may either order the whole package, or selected pieces. TELL LISTSERV AT SCFVM INDEX PUBLIC for a list of files. Please, if you can, send me KillVirus so I can add it to my stack and to our server. I've just gotten the latest release of ResEdit and will probably be adding it to the distribution later this week. If you can get me KillVirus, I'll put it into the same distribution. - --- Joe M. ------------------------------ Date: Wed, 16 Nov 88 19:06 EST From: Robert Stratton Subject: Domesticating "evil" hackers. Hello all, Just my two cents, and as I like the (normally) non-flaming nature of this list, I'll try to keep it brief. SET /FLAME=ON [Ed. I'd hesitate to calling this a flame; rather, it's a heated discussion... Flames, of course, are strongly discouraged on VIRUS-L. Anyone feeling the uncontrollable urge to flame should send his/her flame to the author of the culprit message, please.] One major point that I rarely hear discussion on regards the fact that many of these "nether" hackers are simply champing at the bit for an opportunity to do *any* sort of productive work in the industry. Now this is by no means all of them, but I have seen several people who were just starting to turn toward possibly destructive hacking endeavors who made radical changes in behavior and attitude when given a chance to participate in a professional capacity. I think it is unwise to automatically assume that if we were to (God forbid) offer employment to all of these people our "destructive hacker" problems would be solved. On the contrary, many statistics indicate that the majority of computer fraud incidents are currently and have always been perpetrated from within organizations. My point is simply that it is also unwise to ignore the fact that some of these urchins (age notwithstanding) are highly motivated individuals who merely need a professionally creative outlet. Let's face it, there are a significant number of people in D.P. or C.S. who have no real love for it, and have fallen into the "money/marketability" trap as originally defined the medical and legal professions. (No offense intended.) In my experience, it is also a risk, although of another sort, to employ people with zero enthusiasm for the work they are doing. I place a great value on enthusiasm, because people with enthusiasm and some discipline can and will learn whatever else they need to, be it standards or practices. (Yes, "ethics" fit in there somewhere.) SET /FLAME=OFF Probably the most dangerous aspects of the RTM situation are the attempted (?) suppression of information by federal authorities as well as the media hype/public paranoia that have been generated. I remember well the panic/fascination in the public after the _War Games_ "phase". As if we don't have enough difficulty creating trust in our "users" already!!! I would welcome mail discussing this, if the list begins to diverge much farther from its primary purpose, and people still want to talk about it. Bob Stratton Info. Systems Consultant Stratton Systems Design ------------------------------ Date: 16 Nov 88 19:55:00 EST From: Michael Brown Subject: Re: Military Systems Most military applications are standalone products that have no interaction with the rest of the world, so the possibility of the system being affected by a virus is minimal. The systems that the military use are not perfect, but they have to be pretty close before they become operational. As was mentioned, drills and simulations are used extensively to test the reliability of the software/hardware. Quick example. When they first came out with the F-16 they discovered a bug in one of the simulators, the plane inverted when it flew over the equator. When they compared the code, the same bug was found in the actually planes. The same bug was found and corrected in the real planes. CP6-Mail: Michael Brown @CMR NET-Mail: Michael Brown Snail-Mail: Service Informatique CMR, St-Jean, Que. J0J 1R0 ------------------------------ Date: Wed, 16 Nov 88 10:09:06 SET From: "Christian J. Reichetzeder" Subject: Re: FluShot+ versions How about making the latest (or only recommended) version available on the VIRUS-L FILELIST ? Christian [Ed. That's the plan - as soon as I can get around to doing it. Placing files on a LISTSERV filelist is no simple task (oh, I wish everyone could anonymous FTP...); there's not enough space to place sufficient comments about the file(s), and the commands to actually put a file up are somewhat, er, cryptic. Removing an existing file on a filelist is worse. Also, it's been reported that some people are having problems uudecoding the files on our LISTSERV - apparently the EBCDIC (sp?) character set doesn't include all the ASCII characters that are used in UUENCODED format files. If that's the case, then that's yet another problem to deal with. Comments/suggestions are welcomed.] ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Fri, 18 Nov 88 07:54:52 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Summary of VIRUS-L usefulness request Shortly after the recent Internet Worm episode, I asked the VIRUS-L readers for their input as to how useful and timely they felt the information here on VIRUS-L was. I'd like to thank everyone who replied to me! If I didn't reply to you personally, I still greatly appreciated your input! I've also received dozens of comments on the new digest format, almost all of which have been very positive. Thanks to all who commented on that too! The outcome was predominantly that the information from VIRUS-L was useful in clarifying what people were reading in the media, and ranged from being very timely to not timely enough. A lot here has to do with network location; some sites receive messages almost immediately, while others take up to a couple of days (!) to get their mail from VIRUS-L. Also, some of the info that went out was reposted from RISKS and/or the TCP-IP group; readers of those groups naturally read those postings there first. In addition, most readers weren't overly concerned with the multiple postings at the time. So what does all of this mean? Well, the networks themselves aren't always as fast as we'd like for them to be for one thing. Beyond that, I'm not really too sure. I'd like to think that VIRUS-L is a healthy, unrestricted vehicle for discussing the issues at hand, and I think that the comments, in general, confirmed that. Several readers said that most of the issues discussed here pertain primarily to microcomputers (PC and Mac et al). I suppose that's been the case by and large. I'd like to see that expand a bit into the network and Unix world. Comments and suggestions? Thanks again for all the feedback! Ken Kenneth R. van Wyk Calvin: Mom, I'm going to grow a LONG User Services Senior Consultant beard like the guys in ZZ Top! Lehigh University Computing Center Mom: That's great Calvin, do it! Internet: Calvin: Wow, I thought she'd put up more BITNET: of a fuss than that! ========================================================================= Date: Fri, 18 Nov 88 08:57:17 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #13 VIRUS-L Digest Friday, 18 Nov 1988 Volume 1 : Issue 13 Today's Topics: recovery from the pit SALAMI SLICING --------------------------------------------------------------------------- Date: Thu, 17 Nov 88 18:19:46 EST From: "Homer W. Smith" Subject: recovery from the pit I agree (as should be obvious by now) that resources of hackers should be tapped before they go over the edge. I just want to make it more clear that having a professional job is not of itself sufficient. These guys need a job CRASHING COMPUTERS. They gotta be doing what they do best. If they are gonna do it anyways, it might as well be on our side. I know I will be silently or openly flamed for this but though I will say it anyhow. IF YOU CANT BEAT THEM, MANAGE THEM. ========================================================================= Date: Fri, 18 Nov 88 14:52:38 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #14 VIRUS-L Digest Friday, 18 Nov 1988 Volume 1 : Issue 14 Today's Topics: Will The Source of The Worm be Published ? CSI Standpoint on Internet worm (long) CMS Protected Mode (IBM VM/CMS) UK televison programme. Report of brain virus sighting (PC) --------------------------------------------------------------------------- Date: Fri, 18 Nov 88 17:04:18 HMT From: Kostas Antonopoulos Subject: Will The Source of The Worm be Published ? Greetings , Has anyone out there heard if the ArpaNet Worm source will be published ? I've heard that NSA is trying hard to prevent this ... Does anyone know something about ? Thanx , Kostas [Ed. I know that at least a couple people are doing formal papers on the subject, and that there is some talk of an RFC (request for comment from the Internet governing body) being produced. The latter is uncertain. Anyone else have any more info?] ------------------------------ Date: Fri, 18 Nov 88 09:25 CST From: Ken De Cruyenaere 204-474-8340 Subject: CSI Standpoint on Internet worm (long) I have just returned from the 15th annual Computer Security Institute Conference (held this year in Miami Beach). This conference was attended by over 1500 computer security professionals. The CSI Advisory Council composed the following and distributed to all attendees. The intent is to send 'an important message to the computer criminal and to our public servants': November 16, 1988 To: CSI Conferees From: The CSI Advisory Council The education and motivation that all of us receive during this and other computer security conferences helps us to be more effective practitioners. This year's CSI Conference especially should call us to action. You probably attended at least one workshop that discussed the recent ARPANET situation. Whether or no the media "decides" that any damage was done, it clearly produced lost time, slipped deadlines, or--at the very least-- a few cycles of management "think time" worrying about computer viruses. We encourage you to do two things immediately upon your return: 1. Send a letter to your local U.S. attorneys recommending that the ARPANET virus situation be prosecuted to the full extent of the law. It may even be appropriate that your organization take some form of independent legal action in this case; and, 2. Send a letter to your state and federal legislators requesting that they aggressively pursue the development of effective computer crime legislation. You might even offer to help evaluate drafts of pending bills. Attached are sample of letters you may wish to use as models to get this message to your local U.S. attorneys and your legislators. Consider spending a few minutes "wordsmithing" one or more letters and then send them to the people who can make and enforce computer crime laws. As an emerging profession, we can send an important message to the computer criminal and to our public servants... a message that we take our responsibilities seriously, and that we want to establish solid legal accountability for computer and information protection. Michael Corby, Bain & Co. Joseph R. Kretz, Jr., FMC Corp. Thomas R. Peltier, General Motors SAMPLE LETTER TO A UNITED STATES ATTORNEY: Hon.___________________ United States Attorney Sir: I am in charge of computer security for this organization. In the wake of the recent attack of the ARPANET virus, it was necessary to close down our usual computer operations and devote _______ hours of debugging and testing before we could safely resume normal operation. This represents a significant interruption of our business, and deprived us of an estimated $_______ of employee time. In discussing this matter with other computer security professionals, I find that our organization was only one of many which were disrupted or damaged by the deliberate introduction of a viral program. It is my understanding that abuse of access is punishable under Title 18 United States Code 1030(a)(3). The vehicle for this contamination of our systems, as you know, was the ARPANET computer network. If, for example, a primary waterway was polluted, I am confident that your office would act and act firmly; a primary data stream should be equally protected. I urge you to take a close look at this particular offense, and to prosecute it vigorously. I am ready to provide evidence of its impact on our organization, and I will be glad to assist you in documenting further victimization. (Signed)_______________________ SAMPLE LETTER TO A UNITED STATES ATTORNEY: Dear U.S. Attorney: I am writing to you to express my organization's concern over the apparent apathy within the Justice Department as evidenced by their failure to vigorously pursue computer crime incidents and to assume a leadership role in this arena. The recent ARPANET virus case, which has affected thousands of computer systems and cost companies and institutions tens of thousands of man-hours to investigate and remedy--not to mention the cost of denying use of those systems--appears to be another example of this apathy. I, along with many other responsible computer professionals across the United States, beleive it is imperative that this most recent incident be prosecuted to the fullest extent of the law. It is not in the best interests of businesses and other organizations to allow the person(s) responsible for this situation to avoid being held accountable for their actions, let alone be allowed to profit by it. To do so would only encourage more of the same. Existing federal computer crime statutes, such as 18 USC 1030(a)(3), can be applied in this case. My organization expects those avenues to be fully pursued by the Justice Department. I would appreciate knowing what actions will be taken by your department in this matter. Sincerely, SAMPLE LETTER TO A STATE OR FEDERAL LEGISLATOR: Dear Senator/Representative _______________: I am a computer professional whose job responsibilities include protecting the integrity and reliability of my company's critical business data. If organizations are to gro and prosper, business decisions must be made on the basis of accurate and timely data. I am personally and professionally appalled by the risks posed to this decision-making ability by computer criminals. I therefore join my tens of thousands of responsible colleagues and millions of citizens who support the development ond enforcement of strict computer crime legislation. I urge you to aggressively push for full penalties for perptrators of computer crimes, especially the creation of damaging virus programs, as was the case in the recent ARPANET incident. As your constituents, we encourage and expect your support for the necessary computer crime legislation. I am willing to work with you in evaluating and developing laws that protect our valuable decision-making ability. I look forward to hearing from you. Very truly yours, ------------------------------ Date: Fri, 18 Nov 88 11:11:03 EST From: Gabriel Basco Subject: CMS Protected Mode (IBM VM/CMS) On the REXX Discussion list, the subject on the CHRISTMA EXEC also appeared, and someone had a comment that in CMS, you can run a program in 'protected mode'. Can anybody give me more details? ------------------------------ Date: 18 Nov 1988 14:31:22-WET Subject: UK televison programme. From: Julian Daley This message may well get to UK sites too late to matter, but here goes ... Channel 4 in the UK (? S4C) are screening the penultimate programme in their Equinox series on Sunday 20 November. The programme concentrates on chaos and promises to cover the history behind the subject and current thinking. I haven't seen any of the other programmes in this series so I can't vouch for its accuracy or eloquence. I'll try to watch the programme (video recorder permitting !) and if there is anything interesting post a reply to The List. (Don't let that stop anyone else who sees it from commenting - I'm a physicist, not a TV critic ! ) Julian. ------------------------------ Date: Fri, 18 Nov 88 13:13 EST From: "Shawn V. Hernan" Subject: Report of brain virus sighting (PC) For those of you who are interested in such things, there are indications that the "brain" virus might have hit Pitt. By 'indications' I mean that someone in the labs said he discovered it using 'nobrain', a pd (?) virus detector/eliminator. Shawn Hernan Univ. of Pittsburgh ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Mon, 21 Nov 88 08:05:20 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #15 VIRUS-L Digest Monday, 21 Nov 1988 Volume 1 : Issue 15 Today's Topics: Jerusalem Virus... (PC) Request for anti-virus information (micro) UUENCODE, ETC; (PC) Can viruses cause hardware damage? Recent Virus (Internet) --------------------------------------------------------------------------- Date: Fri Nov 18 16:22:54 1988 From: Pedro Sepulveda J. Subject: Jerusalem Virus... (PC) Hi Networkers...! We are agree to tell you that, in our University, it has been developed a program which take out the JV virus from the .COM files. The author is Gonzalo Rojas Costa, an electric engineering student which works with us in the virus investigation. This program ( called VACUNAJV.COM ) was originaly developed in assembly language, and the release 1.0 has been tested with success cleaning a lot of spreaded programs. Actualy, the program is available for the BITNET users, and you just have to write us. But first, we need the UUENCODE and UUDECODE programs for the sending. Besides, we are begining to work in a similar program that cleans the .EXE files. Our purpose, as work group, is to develope efective tools for the file spreading, making protection rules and studing the efective damage produced by the virus, and how they are produced. We know that in the world exist many groups working on the same area, an we would like to contact them for the information interchange. Lately, we have had some cases with the BRAIN virus, and we NEED all the information available. Hoping your response, Grupo de Soporte Tecnico de Secom Universidad de Santiago de Chile. Note: We are talking of a PC IBM or compatibles. ------------------------------ Date: Fri, 18 Nov 88 18:18:26 -0900 Subject: Request for anti-virus information (micro) From: BILL _ POTTENGER Looking for any and all info on anti-viral software, hardware (including plug in cards), and OS stuff. Please help - am having trouble locating useful info. (Rest of message follows below...) Bill => #34 FTBP Wed 16 Nov 23:23 From: BILL _ POTTENGER Hello! I was hoping you could help me track down some people doing research on secure (meaning virus proof) pc architectures. I'm looking for some profs or grad students who are designing virus resistant pc architectures... it's for a project I'm doing for my senior project in high performance architecture class CS448 up here... Any help would be appreciated! Bill ps. due date: 12-9-88 ------------------------------ Date: Sat, 19 Nov 88 13:26:45 EDT From: Jean Coppola Subject: UUENCODE, ETC; (PC) Hi, thanks to all who sent debrain.exe in 'coded' form. I requested uuencode pas and uudecode pas from LEHIIBM1 but they will not compile properly (read error free) under Turbo 4.0. Perhaps someone can take the time to explain to all newcomers how this procedure works so we can get DEBRAIN.EXE in an executable format. [Ed. I'll try to put up Turbo Pascal 4.0 versions of uuencode and uudecode on our LISTSERV before the end of this week.] ------------------------------ Date: Sat, 19 Nov 88 14:21 EST From: Ain't no livin' in a Perfect World. Subject: Can viruses cause hardware damage? I believe I've read somewhere that viruses can cause hardware problems, like drives to fail. Does anyone know what the specific problem with the drives could be if a virus would do this(cause one to fail.)? Tom Kummer ------------------------------ Date: Sun, 20 Nov 88 12:10:47 EDT From: SSAT@PACEVM Subject: Recent Virus (Internet) With all due respect, has anyone considered that the recent virus might have been a test conceived by the father and son working as a team? After all his father is the Director of Computer Security at the Fort Meade computer center and could authorize such a test! [Ed. I don't think that title is correct; I believe that Robert Morris, Sr. is a research scientist for the NCSC, if memory serves me correctly.] I think this could have been done to emphasize the need for more thorough testing and control of government appropriated software. In any event, no real damage was done, no files destroyed, just a massive computer networl brought to it's knees. Imagine if the same thing happened when SAC reported 100+ missles inbound! ------------------------------ End of VIRUS-L Digest ********************* ========================================================================= Date: Mon, 21 Nov 88 16:31:54 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was virus-l@SPOT.CC.LEHIGH.EDU From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V1 #16 VIRUS-L Digest Monday, 21 Nov 1988 Volume 1 : Issue 16 Today's Topics: "hacker" paper anncmnt CSI [who?] Standpoint on Internet worm Correction on previous posting (V1 I14) Nightline Transcript available RE: Letter to U.S. attorneys Re: Viruses doing hardware damage RE:Can virii cause hardware damage (1) Military virus targets; (2) voting fraud by computer. --------------------------------------------------------------------------- Date: Mon, 21 Nov 88 02:19 CST From: Gordon Meyer Subject: "hacker" paper anncmnt I've been enjoying the on-going debates about just who and what hackers are. I've devoted quite a bit of time and energy studying this question and I thought I'd make some of the results available to those of you that might be interested. I am in the process of writing a Master's thesis on the social organization of the computer underground. It's a participant observation/ethnographic project, so the conclusions I draw and the illustrations I present are taken from the hackers, phreakers, and pirates themselves....not the media and other usual sources. The paper I have available (about 10 pages) is a revision of a work-in-progress presentation made earlier this month. Titled "Hackers, Phreakers, and Pirates: The Semantics of the Computer Underground"<{ it discusses the use of such terms and offers some classification guidelines in order to help resolve the "anyone with a modem is a hacker" finger-pointing that often occurs. If you would like a copy please respond directly to me, not this list. Your feedback and criticisms are most welcome as well. - -=->G<-=- PS: This note is being cross posted to Virus-l and Ethics-l. Gordon R. Meyer, Dept of Sociology, Northern Illinois University. GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365 Bitnet: tee-kay-zero-gee-are-em-one at enn-eye-you Disclaimer: Grad students don't need disclaimers! I'll have an opinion when I get my degree. - --- BE YE NOT LOST AMONG PRECEPTS OF ORDER... (book of Uterus) --- ------------------------------ Date: Mon, 21 Nov 88 10:15:36 EST From: roskos@ida.org (Eric Roskos) Subject: CSI [who?] Standpoint on Internet worm > In the > wake of the recent attack of the ARPANET virus, it was necessary > to close down our usual computer operations and devote _______ > hours of debugging and testing before we could safely resume > normal operation. > > This represents a significant interruption of our business, and > deprived us of an estimated $_______ of employee time. This past Saturday evening's "Communications World" broadcast on the Voice of America devoted a significant amount of time to discussing the Internet virus. An interesting point, made by an AT&T researcher who was interviewed by VOA, was that the ARPAnet began as a research network (note the "R" in ARPA), which unfortunately many people had become dependent on despite the fact that its software was not designed for this type of usage. This is, in fact, why the ARPAnet per se is being discontinued, to be replaced by other networks; to quote from the bulletin "Death of the ARPAnet and Other Paranoia," published by the management of the ARPAnet, > In addition to being heavily loaded, the ARPANET is no longer able to > support its other prime function, that of a research base. To conduct > any kind of experiment on the ARPANET causes too much service > disruption to the community. The solution to this, the authors (Mark Pullen and Brian Boesch of DARPA) say, is "to eliminate the source of the problem" by "outgrowing" the current network, replacing it with an "experimental" network, funded by DARPA to promote network research, and an "operational" network, paid for by the users and run by a contractor. [Note: the complete text of this bulletin was posted by its authors to the Usenet's TCP-IP newsgroup a few months ago.] In fact, if one carefully reads the regulations for use of the ARPAnet, and then considers how the ARPAnet is used in practice, it is much easier to see why the above recommended letter is simplistic. Given this fact, and the fact that the author of the virus clearly did not intend to do damage, and in fact was successful at causing a service degradation only at sites which had not corrected known security problems in their software, the proposed actions seem somewhat extreme; it seems as if the suspected author of the virus is being made a "scapegoat" for the unknown authors of the many intentionally harmful and malicious viruses. This is not intended to advocate the writing of such viruses. However, considering especially that all the blame has fallen on the virus writer, and seemingly none on the programmer who coded the "back door" into Sendmail -- and which could be and perhaps may have been used to gain access to systems many times before this virus publicized its existence -- the recommended letter seems somewhat extreme. Overreaction, rather than straightforward correction of the technical problems involved, might have the undesirable side effect of denying beneficial research environments and communication provided to the research community via the ARPAnet, of which the VIRUS-L mailing list is just one example. DISCLAIMERS: The above is my personal opinion, and does not necessarily reflect the opinion of my employer nor those with whom my employer does business. The comments describing the ARPAnet and its research function are based on my current understanding of its role in the research community, and do not necessarily reflect the position of DARPA or the management of the ARPAnet. ------------------------------ Date: 21 Nov 1988 11:09:29-WET From: Julian Daley Subject: Correction on previous posting (V1 I14) SORRY ! That message was posted to the WRONG LIST. I am _very_ embarressed 8-( If anybody IS interested in chaos try the frac-l list which is held by the listserv @ gitvm1 ( where I was trying to send the last message !) Many apologies (the worm must have got to my brain), Julian. [Ed. My apologies also, for letting it slip by...] ------------------------------ Date: Mon, 21 Nov 88 10:55:55 EST From: Scott Earley Subject: Nightline Transcript available After reading Doug Hunt's msg about Koppel I made an investigation worth sharing. Permission was granted by a telemarketer for this: Show title: Computer Viruses Air Date: Nov 10, 1988 Send $3.00 to Nightline Broadcasts 267 Broadway NY, NY 10007 or phone 212 227-7323 for credit card orders (Doug, I had them verify this date TWICE :-) [Ed. Thanks for the info, Scott; I wonder whether they have transcripts available on 5 1/4 " disk... :-) ] ------------------------------ Date: Mon, 21 Nov 88 12:34 EST From: Chris Bracy Subject: RE: Letter to U.S. attorneys > 1. Send a letter to your local U.S. attorneys recommending > that the ARPANET virus situation be prosecuted to the full extent > of the law. It may even be appropriate that your organization > take some form of independent legal action in this case; and, > > 2. Send a letter to your state and federal legislators > requesting that they aggressively pursue the development of > effective computer crime legislation. You might even offer to > help evaluate drafts of pending bills. Attached are sample of > letters you may wish to use as models to get this message to your > local U.S. attorneys and your legislators. This will insure that only those people with actual criminal intent will write a virus. And that the code is better written so it cant be found as easily. Yes damage was done. Many man hours of work was lost. But if you think about it, it could have been much, much worse. If harm was intended, it was very easy to do. But the intent was obviously not harm. This just showed us that we have to be more careful. We can't legislate computer security, we have to program it in. Chris. *==============================*======================================* | Chris A. Bracy | Student Consultant | | (215) 758-4141 | Lehigh University Computing Center | | Kcabrac@Vax1.cc.Lehigh.Edu | Fairchild Martindale Bldg. 8B | | Kcabrac@LehiCDC1.Bitnet | Lehigh University | | CAB4@Lehigh.Bitnet | Bethlehem, PA 18015 | *==============================*======================================* ------------------------------ Date: Mon, 21 Nov 88 12:30:28 EST From: Jim McIntosh Subject: Re: Viruses doing hardware damage > I believe I've read somewhere that viruses can cause hardware >problems, like drives to fail. Does anyone know what the specific >problem with the drives could be if a virus would do this(cause one to >fail.)? If someone could get damaging code executed on my machine it could damage data stored on hardware in such a way as to appear to be a hardware error. I have all VM priviledge classes, and can link to fullpack minidisks that include system areas. A good virus could issue the DIRECT command, thereby preventing anyone from logging on, and then issue some links and then do some physical I/O's to wipe out areas like the VTOC on our disk packs. We would get disk errors (NO RECORD FOUND, etc) which could appear to be hardware errors, and if we tried to re-IPL we would find that the system would be dead. It might take some time to discover that that it was a virus, and not a disk controller error (for example). ------------------------------ Date: Mon, 21 Nov 88 13:14 EST From: Steve Okay Subject: RE:Can virii cause hardware damage >From: Ain't no livin' in a Perfect World. >Subject: Can viruses cause hardware damage? > > I believe I've read somewhere that viruses can cause hardware >problems, like drives to fail. Does anyone know what the specific >problem with the drives could be if a virus would do this(cause one to >fail.)? >Tom Kummer This has been kicked around on here before and I believe that the general consensus was "yes", but in a sort of roundabout way. That is to say, they can' t damage hardware directly, but by some rather clever programming. Also I don't recall any of the affirmative messages mentioning anything about a virus program doing the damage. Most, if I recall correctly, were just singular, albeit still destructive, programmings. To wit are several notices below from VIRUS-L of the recent past. #1:: From: "JOHN D. WATKINS" Subject: kill that drive! On the subject of damaging disk drives, a couple months ago I read (I think in Computers & Society Digest) about a prank you could play with drives; you figure out a good resonant frequency for the drive, then make the head(s) seek at just that rate. The drive starts vibrating (relatively) violently, enough so that it creeps across the floor, possibly unplugging itself and certainly puzzling the operators in the morning! I believe that this referred to mainframe drives, but it has interesting possibilities for micros as well; if you could make a drive vibrate for long enough you might be able to throw it out of alignment or something evil like that... Kevin #2: From: GREENY Subject: even *MORE* on hardware damage All this talk of "programs" causing damage to hardware has caused a few of the ole cobwebs to clear out of the history section of my brain which caused a story that I heard a long long time ago in a CS101 class to surface.. "...It seems that a programmer who delighted in taking excessively long lunch hours discovered a way to shut down the computer for hours at a time. It happened that the programmer -- in those days also being somewhat of an Electrical Engineer -- discovered exactly which MAGNETIC CORE was closest to the High-Temp shutdown sensor, and wrote a program which continously wrote an alternating pattern of binary 0's and 1's to *THE* core, until it got hot enough to trigger the High-Temp shutdown sensor. The sensor, being decieved into thinking that the entire machine was overheating, promptly shut it down" ...An oldie, but a goodie... Bye for now but not for long Greeny Bitnet: miss026@ecncdc Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: If you happen to still have some core memory machines being used and you pull this trick -- forget where you read this!:-> - -----------------------End Appended Messages------------------------------ Hope that Helps..... - ---Steve - ------------- Steve Okay/ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source "Too Busy to think of a clever and witty Disclaimer" ------------------------------ Date: Mon, 21 Nov 88 08:44 EDT From: Jim Cerny Subject: (1) Military virus targets; (2) voting fraud by computer. Here are a couple of thoughts after virus/worm events of the last couple of weeks. BTW, I much appreciate the "reprinting" of selected items from RISKS and other lists that contain items of interest to VIRUS-L subscribers because I already attempt to scan too many list as it is. Military virus targets. - ---------------------- Even if the recent virus, or some other virus, did hit some military systems, I doubt that we would know it. Experience of the last decades shows that the federal government would go to great lengths to cover up such a fact. It would be classified before you could press RETURN! Another thought. If I worked for a technologically-advanced, hostile country and wanted to do evil things to the US military capability, it seems to me that very-early-on in a brainstorming session I'd have the idea of building my virus/worm/whatever-you-call-it into the actual chips that would be manufactured into the computer. I believe the military uses chips from the usual Asian source countries. If you say, nah, this could not happen, consider the problems being caused by counterfeit bolts. Asian suppliers are flooding the US with low-performance bolts made to look like high performance bolts and some of these have been built into military equipment. Now, it seems to me that the "correctness" of a bolt is relatively easy to do testing on, compared to a chip! Voting fraud by computer. - ------------------------ Coincident with all the uproar over the recent Unix-penetrating virus, there was an article published in The New Yorker, November 7, 1988, by Ronnie Dugger, titled "Annals of Democracy: Voting by Computer." The gist of the article is that computers are being used more and more to count votes, yet there are tremendous risks for rigging elections and that this strikes at the heart of our democracy. In the long run I think this is a much more vital and important topic than the occasional virus that gets loose and generates great publicity. The vote rigging might not be done by a VIRUS, but I think this is a subject that may interest many VIRUS-L subscribers. If this is discussed on RISKS, I'd appreciate it if a RISK subscriber would forward to me a copy of any such voter-fraud-by-computer comments. Jim Cerny, University Computing, University of New Hampshire J_CERNY@UNHH (BITNET) .. uunet!unh!jwc (UUCP) ------------------------------ End of VIRUS-L Digest *********************