Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA19344; Wed, 6 Jun 90 09:59:05 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA02505; Wed, 6 Jun 90 09:59:00 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA13229; Wed, 6 Jun 90 09:58:32 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa16208; 6 Jun 90 14:15 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:02:20 BST Message-Id: <$TGVGDBVHCNWV at UMPA> Subject: Virus-L vol 0 issue #0606 Virus-L Digest Mon, 6 Jun 88, Volume 0 : Issue #0606 Today's Topics Re: forwarded from RISKS... virus-writing course Re: forwarded from RISKS... Forwarded submission follows... Virus 101 Terminology my 2 cents on viruses in classes RE: Re: forwarded from RISKS... RE: Re: forwarded from RISKS... Re: my 2 cents on viruses in classes More virus questions ------------------------------ Date: Mon, 6 Jun 88 08:53:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: forwarded from RISKS... In-Reply-To: Message of Fri, 3 Jun 88 15:03:48 EDT from I would personally have to say that teaching someone how to write a virus WITHOUT knowing whether he or she is a "model citizen" is probably a bad idea. It seems to me that such a procedure is like teaching chemistry students how to synthesize hard-to-detect toxins or hallucinogens, or like teaching undergraduate biology majors to play with recombinant DNA experiments with the AIDS virus in a regular lab. Many problems could occur. The accidental release of a virulent virus could cause a very nasty "plague" before it was stopped. The deliberate release of such is akin (at least in my opinion) to germ or chemical warfare. Such things are not easy to target, and unforseen effects nearly always occur. Finally, the students present a danger to themselves through inadvertent exposure to their own viruses. "Here, have these plans for an A-bomb. Now, where did I leave all of that extra plutonium...?" - - Joe M. -------------------- Date: Mon, 6 Jun 88 01:39:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- RSCS tag indicates an origin of CMF@PITTVMS From: "Shawn V. Hernan" Subject: virus-writing course Regarding the Engineering professor who taught virus writing: As long as the professor was very explicit about the dangers of releasing the virus, he was acting quite properly. His methods are pedagogically sound. In order to cure a virus, it is NECESSARY to understand how they work. The best way to understand how they work is to write one. There are similar examples in other engineering fields. A Civil Engineer might, for example, build a model bridge only to destroy it. Of course, this is only a valid analogy if the lab where the virus was written was isolated from other computers. Shawn Hernan Faculty Consultant University of Pittsburgh p.s. I am a Senior Electrical Engineering Student. I wish I had this professor -------------------- Date: Mon, 6 Jun 88 11:05:08 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: Re: forwarded from RISKS... In-Reply-To: Message of Fri, 3 Jun 88 15:03:48 EDT from Re: Freedom of information and the virus "course". I believe that the professor has the right to teach such a course. The professor is also responsible for damage done to others during conduct of the course. Of course, a little "social pressure" is the right of the professor's colleagues. -------------------- Date: Mon, 6 Jun 88 13:07:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Forwarded submission follows... From: minow%bolt.DEC@decwrl.dec.com (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922) Subject: Contribution to VIRUS-L "Dismounting a hard drive may not be sufficent" Several participants have suggested ways to make a hard disk drive unavailable to the operating system while testing a potentially infected piece of software. All of these suggestions presuppose that the virus plays by the rules: that it opens files by calling the operating system's "open" routine, etc. Since the drive is still electrically connected, however, you have no way of preventing the virus from bypassing the operating system, controlling the hard disk by directly accessing the command registers. I.e., you really have to unplug the drive to be safe. Of course, this may void your warranty... Martin Minow minow%thundr.dec@decwrl.dec.com The above does not represent the position of Digital Equipment Corporation - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = This page intentionally = = Lehigh University Computing Center = left blank. = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Mon, 6 Jun 88 13:56:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kelly Kreiger Subject: Virus 101 I would feel a whole lot more at ease about the professor who wants his students to write computer viruses if I thought the students (and instructor, for that matter) operated within a framework similar to the ethical guidelines and procedural restraints imposed on the biological/medical analog. -- Kelly -------------------- Date: Mon, 6 Jun 88 12:02:13 mdt Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was From: Bill Kinnersley Subject: Terminology Subscribers to this list may be interested in the recent article "Computer Viruses" by Peter J. Denning in the American Scientist, vol 76 page 236. In particular, he discusses terminology. Paraphrasing his definitions: 1) Worm - a program that invades a workstation and disables it. 2) Trojan horse - a program that performs some apparently useful function, but containing hidden code that performs an unwanted malicious function. 3) Bacterium - a program that replicates itself wthout bound, thereby preempting the resources of the host system. 4) Virus - a program that incorporates copies of itself into the machine code of other programs, and when those programs are invoked, performs a malicious function. Denning points out that these types often occur in combination. A Trojan Horse is the most common means of originally introducing a virus into a system. For example, a Trojan Horse compiler can attach a copy of the virus code to its output. Defence against computer viruses comes out sounding like a message from the Surgeon General. Practice digital hygiene yourself. Don't exchange programs with anyone whose computer habits are not up to your own standards. Refuse to use software if the manufacturer's seal has been broken! Maybe we need a "Centers for Computer Disease Control". -------------------- Date: Mon, 6 Jun 88 13:57:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: my 2 cents on viruses in classes For what it's worth, I'm sure that there are tons of pros and cons for having a professor tell his/her students to write a virus. I propose, however, that it could be very worthwhile - in a controlled environment. Someone presented the idea of having the students exchange programs with one another in order to allow each student to try to stop a virus, as well as author one. I think that this *could* be very beneficial for the students. The controlled environment that I'm talking about would have to be something like a microcomputer lab with no outside world connections (serial or otherwise), and pcs that are either dual floppy or reloaded from tape backups frequently. Perhaps even disallowing floppies to leave the lab... Granted, this would be "arming" the students with the knowledge of how to write a virus, but it would also be giving them some very practical experience. They'd certainly get a feel for how sticky the situation can get when trying to stop an unknown virus. So, with the above restrictions in mind (and possibly some others as well), I'd say that I'm for it. On another note, I'm working on cleaning up the VIRUS-L archives. I'm in the process of switching them to store messages in weekly files since the monthly ones are getting really huge. I'd also like to say thanks to everyone who's sent in their comments (to me) about whether or not I should turn the list into a moderated list. Keep them coming! I don't want to bias anyone's opinion on the matter since all the votes but I will say that it's going to be very close. Everyone has made excellent points for both sides, and it's going to be a tough decision to make. Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = This page intentionally = = Lehigh University Computing Center = left blank. = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Mon, 6 Jun 88 13:31:00 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: DAVIDLI@SIMVAX Subject: RE: Re: forwarded from RISKS... > Perhaps an analogy could get across my point of view. Suppose that some >professor of mechanical engineering were to decide that to truly understand >how a car works, his class should learn how to jimmy a car such that it >would have an accident. I would suggest that this is similar to such a >situation... > Glen Matthews > McGill University I wish that supposedly knowledgeable people would quite making spur of the moment "analogies" like this. 1) No one would knowingly DRIVE a car that had been set up for an accident. However, it is certainly possible to have it controlled externally. In fact, the so-called "crash" labs do just that ... deliberately cause an automobile to have an accident. Thus, a "jimmied" car can, indeed, be tested. (Incidentally, I doubt that your typical mechanical engineer spends ANY time learning how a car works ... they aren't auto mechanics you know.) 2) To learn how a car "works", one must have a real car (sure you can read about it, but I'll use an auto mechanic whose _worked_ on a car over one that's only _read_ about a car any day). To learn how a virus "works", one must have a real virus. As in the medical field, if you don't take proper precautions when working with a virus you'll get infected. You learn the principles of creating linked lists by _writing_ programs with code to create a linked list ... why not something similar to learn the principles of a virus? 3) Cars are tangible objects which can be inspected. If a problem occurs, you can see it for yourself. Computer viruses are intangible electrical signals. You may never see a problem occuring until AFTER the fact. ***Please*** take the time to think about your analogies! One of the worst analogies I've seen is "software piracy is like stealing a car". Patently false. A car is a tangible object with a discrete value which cannot be "copied" for the price of a floppy disk. "Software piracy is like counterfeiting money" is a proper analogy. [I leave the exposition of this analogy to the reader...] - ---------------------------------------------------------------------------- Now then ... as to the reliability of the posting to RISKS - has anyone actually VERIFIED the information posted here as "truth"? Disinformation is, to my mind, as bad as any computer virus. Incidentally, I _do_ read the RISKS digest via USENET -- and I haven't seen that particular posting as of this date. Perhaps the original poster of this information will cite the issue date of that particular RISKS digest? -- Dave Meile, Systems Manager Disclaimer: Standard - my words, my opinions. Your mileage may vary. -------------------- Date: Mon, 6 Jun 88 15:43:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: RE: Re: forwarded from RISKS... In-Reply-To: Message of Mon, 6 Jun 88 13:31:00 CST from >Now then ... as to the reliability of the posting to RISKS - has anyone >actually VERIFIED the information posted here as "truth"? Disinformation >is, to my mind, as bad as any computer virus. Incidentally, I _do_ read >the RISKS digest via USENET -- and I haven't seen that particular posting >as of this date. Perhaps the original poster of this information will cite >the issue date of that particular RISKS digest? Oops, I may have gotten it from the SECURITY digest. (I always get the two of them confused.) ;-) And lets say that it isn't "truth"...it still is an interesting point to ponder. Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = This page intentionally = = Lehigh University Computing Center = left blank. = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Mon, 6 Jun 88 19:10:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Peter G. Neumann" Subject: Re: my 2 cents on viruses in classes In-Reply-To: <8806061855.AB02268@csl.sri.com> VIRUS-L serves a purpose by being UNMODERATED, but contains incredible amounts of gibberish. VIRUS-L would serve a different purpose if it were MODERATED intelligently. But I suspect that its audience probably likes it unmoderated. I suffer along. - ----- -------------------- Date: Mon, 6 Jun 88 19:15:32 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QueensU.CA Subject: More virus questions Ok, so disabling the hard drive is not necessarily the best answer. I will ask the following, then: If a virus cannot squirrel its way into any portion of the ROM of a microcomputer, is it possible to write some sort of routine which "fools" the virus into thinking it's busily eating away at the hard drive when in fact it is just doing nothing, i.e. creating a virtual hard drive or hard drive shell? Furthermore, would it also be possible to put some sort of flag in this routine so that the user could easily detect that the nice piece of public domain software was really a nasty infected hunk of ferritized iron? I realize this is only good for protecting hard drives and not much else, but it seems that the hard drive would be a natural target for a goodly portion of all virus writers. As to the professor who had his students write a working virus? I agree that as long as he followed the same protocol as we biochemists have to follow when we deal with nasty biohazards then the entire exercise was worthwhile. This means that no disks leave the lab, or if they do then they get wiped with Norton's WIPEDISK or a nice strong electromagnet, and anyone not following standard procedures gets 1) booted out of the course and 2) booted out of the university if necessary. That's tough, but then so is some joker taking his/her pet virus and going around destroying files. There are risks involved in spreading knowledge like this, but it's better to do it and learn about the virii than shy off because things are too dangerous and learn nothing. -------------------- *** end of Virus-L issue ***