Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA19938; Wed, 6 Jun 90 14:22:36 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA05137; Wed, 6 Jun 90 14:22:32 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA28409; Wed, 6 Jun 90 14:22:20 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa27191; 6 Jun 90 18:40 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:07:28 BST Message-Id: <$TGVGDBVHCNZQ at UMPA> Subject: Virus-L vol 0 issue #0623 Virus-L Digest Thu, 23 Jun 88, Volume 0 : Issue #0623 Today's Topics ** no subject, date = Thu, 23 Jun 88 08:42:38 EST re: constructive viruses ** no subject, date = Thu, 23 Jun 88 10:53:19 EDT Byte Magazine (July 1988). Re: Are Tandy 1??? vulnerable?? MSDOS in ROM Don't trust CRC as a virus-indication Re: Don't trust CRC as a virus-indication Re: Are Tandy 1??? vulnerable? Dos in ROM re: Re: Don't trust CRC as a virus-indication Operating System in ROM re: constructive viruses Authentication of programs ------------------------------ Date: Thu, 23 Jun 88 08:42:38 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Neil Goldman (216) 861-5000" >QI just saw over someone's shoulder an ad for a Tandy 1000HX (I >think...) with one of the features being "MSDOS in ROM". Does anyone >know if this is done in such a way that makes the Tandy machines >invulnerable to many viruses, or does (for example) COMMAND.COM still >come off of floppy disk? > > Mark Eichin > > SIPB Member & Project Athena ``Watchmaker'' What would happen when a new verions of DOS is released? Perhaps a replacement board? Sounds expensive. -------------------- Date: Thu, 23 Jun 88 09:20:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GREENY Subject: re: constructive viruses as long as the virus is not harmful, and its only function in life is to update old copies of software *AND* it requests my specific permission before doing so, then it seems like a fantastic idea to me. Perhaps such a virus could have a specified life...i.e. If they can wake up at a specific time (like a time bomb..) then why not die after a specific time as well, say six months or so, basing this on the assumption that all of the software has been updated. Or failing the scheduled time of destruction, how aobut a Destruct option? I firmly believe that viruses can be used constructively, both in human bioengineering, and on computers as well...All that needs to be done is for some of the immature computer jerks to start living by the medical communitys ethical standards....(yes I know, the unattainable utopia :-> ) bye for now but not for long... Greeny Bitnet: miss026@ecncdc Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: I didn't do it, whatever it was, unless it was good? Agreed?! -------------------- Date: Thu, 23 Jun 88 10:53:19 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Wed, 22 Jun 88 17:10:15 EST from >...a worm is designed to use otherwise *unused* computing resources... Italics are mine. If the worm is designed to truly use unused resources, one of the things it would have to do to be "friendly" would be automatic load checking. If it found it was actually cutting into someone's time, it would delete that segment of itself. - - Joe M. -------------------- Date: Thu, 23 Jun 88 08:10:24 PST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Tim Streater (415) 926-2743" Subject: Byte Magazine (July 1988). If you look in this comic you find a 2-page Toshiba ad, in particular for the T1000 which has MS-DOS in ROM. Very handy for travelling to have it boot up immediately (one less floppy to lose or spill gin on). Of perhaps more relevance to the list in the same mag is an expose written by Jerry Pournells about viruses and vaccines, a couple of pages long (P. 197). Quite a cogent and well written summary. Nothing we don't already know I suspect but useful for the computer-literate who may only have seen accounts in the popular press. Cliff Stoll gave a talk at SLAC yesterday, entitled "What to feed a Trojan Horse", the same I think as he gave at Decus last December. At that time he held 1000 or so people spellbound and definitely raised the conciousness of those people about the problem. He told the story of a grad student who had lost several months of his work because a hacker had changed ONE STATEMENT of his program, giving pi a value of 6.0 instead of 3.1415.... (Cliff was credited with months of patient work to unmask the Chaos hackers). -------------------- Date: Thu, 23 Jun 88 12:37:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Are Tandy 1??? vulnerable? In-Reply-To: Message of 22 Jun 88 16:11 EDT from "Mark W. Eichin" >Are Tandy 1??? vulnerable? In general, the more fixed the media, the more difficult to infect. Therefore, copies of the operating system on ROM will be more difficult to infect than copies stored in other media. However, making the operating system more difficult to infect does not make the machine immune. Perpetrators of viruses are attracted to the operating system in general, and COMMAND.COM in particular, because it it is an easy solution to the problem of getting their code executed. However, there are a number of solutions to that problem. Therefore, the answer to your question is that yes, Tandy 1??? are vulnerable, but perhaps marginally less so to viruses that are specific to COMMAND.COM. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Thu, 23 Jun 88 14:24:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: MSDOS in ROM Replacement board? More likely replacement ROMs. - Jeff -------------------- Date: Thu, 23 Jun 88 20:51:00 N Reply-To: Virus Discussion List Sender: Virus Discussion List From: DEGROOT@HWALHW5 Subject: Don't trust CRC as a virus-indication Subject: CRC as a virus-indicator. Don't trust CRC-calculation or parity-calculations as a virus-indicator! It is very easy to change a file or program in such a way that the CRC or parity of the changed file remains the same. Tel. +31-8370- .KeesdeGroot (DEGROOT@HWALHW50.BITNET) o\/o THERE AINT NO (8)3557/ Wageningen Agricultural University [] SUCH THING AS 4030 Computer-centre, the Netherlands .==. A FREE LUNCH! X25: PSI%(+204)18370060638::DEGROOT DISCLAIMER: My opinions are my own alone and do not represent any official position of my employer. - if you go too far to the east, you find yourself in the west .. - -------------------- Date: Thu, 23 Jun 88 16:15:04 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark R. Williamson" Subject: Re: Don't trust CRC as a virus-indication In-Reply-To: Message of Thu, 23 Jun 88 20:51:00 N from >Subject: CRC as a virus-indicator. > >Don't trust CRC-calculation or parity-calculations as a virus-indicator! >It is very easy to change a file or program in such a way that the CRC or >parity of the changed file remains the same. True, if the changer knows what polynomial is being used for the CRC. However, use of two or more independent polynomials should make it much more difficult. The more independent virus checkers with different polynomials there are, the harder it will be for the virus builders. Note: The above is an unverified assertion. -------------------- Date: Thu, 23 Jun 88 17:51:46 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: David Camp Subject: Re: Are Tandy 1??? vulnerable? In-Reply-To: Message of Wed, 22 Jun 88 16:11:26 EDT from >I just saw over someone's shoulder an ad for a Tandy 1000HX (I >think...) with one of the features being "MSDOS in ROM". Does anyone >know if this is done in such a way that makes the Tandy machines >invulnerable to many viruses, or does (for example) COMMAND.COM still >come off of floppy disk? If not, I would never buy such a machine. One could not take advantage of upgrades to Dos. I suppose it may allow either the Rom version or a diskette version, which would be okay. That would speed up booting (when you do not need the later versions). I wonder if all the commands on the Dos disk are in Rom too. Maybe they were just referring to the normal Rom-Bios, in which case their advertisement may be misleading. -David- > > Mark Eichin > > SIPB Member & Project Athena ``Watchmaker'' -------------------- Date: Thu, 23 Jun 88 17:38:27 PST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Tim Streater (415) 926-2743" Subject: Dos in ROM The T1000 (from Toshiba) has everything in ROM (the whole OS), as well as all the standard commands. In fact, it has a ROM-disk (the A-disk as I recall) as well that you can DIR and see all the normal files you would see when DIR-ing any standard system disk. This frees up your floppy on a one-drive machine to be all data. I think it keeps COMMAND.COM in CMOS or something. You can also boot from floppy if you really wish to. -------------------- Date: Thu, 23 Jun 88 22:53:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Woody Subject: re: Re: Don't trust CRC as a virus-indication Mark R. Williamson writes >>Subject: CRC as a virus-indicator. >> >>Don't trust CRC-calculation or parity-calculations as a virus-indicator! >>It is very easy to change a file or program in such a way that the CRC or >>parity of the changed file remains the same. > >True, if the changer knows what polynomial is being used for the CRC. >However, use of two or more independent polynomials should make it much >more difficult. The more independent virus checkers with different >polynomials there are, the harder it will be for the virus builders. > >Note: The above is an unverified assertion. This has all been hashed out once in the logs. See them for a verification. -------------------- Date: Thu, 23 Jun 88 19:45:14 PLT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Andrew Vaught <29284843@WSUVM1> Subject: Operating System in ROM The operating system in ROM? Boy, Microsoft had better get the OS right the first time, as bug fixes would be somewhat difficult. Actually, Tandy's Color Computer has a 3-Level ROM BASIC/DOS. The first level is a bare-bones BASIC interpreter, the second level adds many features to BASIC (graphics, sound, etc) and the third level adds Disk commands and file management (also in ROM). Each of these levels is another ROM to plug in. How is this possible? Bare-bones BASIC defines a whole slough of vectors in RAM that are initialized to RETurns. These vectors are placed in stategic routines (like character input/output, parsing) so that higher levels can reset these vectors to their own handlers. Another thing about the Coco is that is possible to switch off the ROM and use the RAM underneath-- this can be used to make radical changes to the operating system, or possible to use a totally different operating system like OS-9 or FLEX. Upgrading a ROM-based system is possible. The key thing that makes virus transmission difficult is the lack of bootstrapping-- the virus does not have a sure way of getting into the machine in the first place- the operator has to specifically execute the infected program. Andy -------------------- Date: Thu, 23 Jun 88 16:42:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: re: constructive viruses In-Reply-To: Message of 23 Jun 88 10:20 EDT from GREENY >as long as the virus is not harmful, and its only function in life is >to update old copies of software *AND* it requests my specific >permission before doing so, then it seems like a fantastic idea to me. Be careful what you ask for; you might get it. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Thu, 23 Jun 88 18:31:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Authentication of programs I have just received a new program from RSA Data Security, Inc. The following note was attached: TO: MAILSAFE COMMAND LINE Users FROM: RSA Data Security Inc. SUBJECT: Authentication of MSCL executable program DATE: 11 May 1988 In order to insure protection from viruses and integrity of data we have added a Digital Signature to the end of MSCL.EXE, the MAILSAFE COMMAND LINE executable program. The appended signature does not interfere in any way with the loading or execution of the MSCL program and therefore need not be removed in order to use the product. The signature was produced using the RSADATA7 private key and should be easily verifiable using the RSADATA7 public key that was included with your standard MAILSAFE product. If you are using an older version of MAILSAFE or you do not have access to this public key please contact RSA Data Security for a copy. To verify the authenticity of the MAILSAFE COMMAND LINE executable program MSCL.EXE, simply verify the appended signature using the VERIFY option in MAILSAFE COMMAND LINE or the standard MAILSAFE product. If you have not already done so, you should CERTIFY the RSADATA7 public key in order to consider the signature VALID and CERTIFIED. If, after certifying the RSADATA7 pubilc key, the signature on the end of the file MSCL.EXE is not VALID and CERTIFIED, do not use the MAILSAFE COMMAND LINE product and contact RSA Data Security Inc. for further assistance. [end of attachment] The seal is computed by encrypting the file under the Data Encryption Standard, taking the 128 bit residue and encrypting that under the private key. There has not yet been sufficient time since the big bang to find another file of that length, that will do anything at all as a program and yield the same 128 bit DES residue, much less anything in particular. While this mechanism cannot protect you from accepting a virus from a trusted source, it will permit you to know exactly where it came from. Incidentally, RSA is negotiating with some INTERNET committee to make their product standard and available on the net. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- *** end of Virus-L issue *** Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA21860; Thu, 7 Jun 90 19:46:23 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA16781; Thu, 7 Jun 90 19:46:23 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA15729; Thu, 7 Jun 90 19:46:15 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa01631; 7 Jun 90 21:45 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:07:28 BST Message-Id: <$TGVGDBVHCNZQ at UMPA> Subject: Virus-L vol 0 issue #0623 Virus-L Digest Thu, 23 Jun 88, Volume 0 : Issue #0623 Today's Topics ** no subject, date = Thu, 23 Jun 88 08:42:38 EST re: constructive viruses ** no subject, date = Thu, 23 Jun 88 10:53:19 EDT Byte Magazine (July 1988). Re: Are Tandy 1??? vulnerable?? MSDOS in ROM Don't trust CRC as a virus-indication Re: Don't trust CRC as a virus-indication Re: Are Tandy 1??? vulnerable? Dos in ROM re: Re: Don't trust CRC as a virus-indication Operating System in ROM re: constructive viruses Authentication of programs ------------------------------ Date: Thu, 23 Jun 88 08:42:38 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Neil Goldman (216) 861-5000" >QI just saw over someone's shoulder an ad for a Tandy 1000HX (I >think...) with one of the features being "MSDOS in ROM". Does anyone >know if this is done in such a way that makes the Tandy machines >invulnerable to many viruses, or does (for example) COMMAND.COM still >come off of floppy disk? > > Mark Eichin > > SIPB Member & Project Athena ``Watchmaker'' What would happen when a new verions of DOS is released? Perhaps a replacement board? Sounds expensive. -------------------- Date: Thu, 23 Jun 88 09:20:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GREENY Subject: re: constructive viruses as long as the virus is not harmful, and its only function in life is to update old copies of software *AND* it requests my specific permission before doing so, then it seems like a fantastic idea to me. Perhaps such a virus could have a specified life...i.e. If they can wake up at a specific time (like a time bomb..) then why not die after a specific time as well, say six months or so, basing this on the assumption that all of the software has been updated. Or failing the scheduled time of destruction, how aobut a Destruct option? I firmly believe that viruses can be used constructively, both in human bioengineering, and on computers as well...All that needs to be done is for some of the immature computer jerks to start living by the medical communitys ethical standards....(yes I know, the unattainable utopia :-> ) bye for now but not for long... Greeny Bitnet: miss026@ecncdc Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: I didn't do it, whatever it was, unless it was good? Agreed?! -------------------- Date: Thu, 23 Jun 88 10:53:19 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Wed, 22 Jun 88 17:10:15 EST from >...a worm is designed to use otherwise *unused* computing resources... Italics are mine. If the worm is designed to truly use unused resources, one of the things it would have to do to be "friendly" would be automatic load checking. If it found it was actually cutting into someone's time, it would delete that segment of itself. - - Joe M. -------------------- Date: Thu, 23 Jun 88 08:10:24 PST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Tim Streater (415) 926-2743" Subject: Byte Magazine (July 1988). If you look in this comic you find a 2-page Toshiba ad, in particular for the T1000 which has MS-DOS in ROM. Very handy for travelling to have it boot up immediately (one less floppy to lose or spill gin on). Of perhaps more relevance to the list in the same mag is an expose written by Jerry Pournells about viruses and vaccines, a couple of pages long (P. 197). Quite a cogent and well written summary. Nothing we don't already know I suspect but useful for the computer-literate who may only have seen accounts in the popular press. Cliff Stoll gave a talk at SLAC yesterday, entitled "What to feed a Trojan Horse", the same I think as he gave at Decus last December. At that time he held 1000 or so people spellbound and definitely raised the conciousness of those people about the problem. He told the story of a grad student who had lost several months of his work because a hacker had changed ONE STATEMENT of his program, giving pi a value of 6.0 instead of 3.1415.... (Cliff was credited with months of patient work to unmask the Chaos hackers). -------------------- Date: Thu, 23 Jun 88 12:37:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Are Tandy 1??? vulnerable? In-Reply-To: Message of 22 Jun 88 16:11 EDT from "Mark W. Eichin" >Are Tandy 1??? vulnerable? In general, the more fixed the media, the more difficult to infect. Therefore, copies of the operating system on ROM will be more difficult to infect than copies stored in other media. However, making the operating system more difficult to infect does not make the machine immune. Perpetrators of viruses are attracted to the operating system in general, and COMMAND.COM in particular, because it it is an easy solution to the problem of getting their code executed. However, there are a number of solutions to that problem. Therefore, the answer to your question is that yes, Tandy 1??? are vulnerable, but perhaps marginally less so to viruses that are specific to COMMAND.COM. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Thu, 23 Jun 88 14:24:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: MSDOS in ROM Replacement board? More likely replacement ROMs. - Jeff -------------------- Date: Thu, 23 Jun 88 20:51:00 N Reply-To: Virus Discussion List Sender: Virus Discussion List From: DEGROOT@HWALHW5 Subject: Don't trust CRC as a virus-indication Subject: CRC as a virus-indicator. Don't trust CRC-calculation or parity-calculations as a virus-indicator! It is very easy to change a file or program in such a way that the CRC or parity of the changed file remains the same. Tel. +31-8370- .KeesdeGroot (DEGROOT@HWALHW50.BITNET) o\/o THERE AINT NO (8)3557/ Wageningen Agricultural University [] SUCH THING AS 4030 Computer-centre, the Netherlands .==. A FREE LUNCH! X25: PSI%(+204)18370060638::DEGROOT DISCLAIMER: My opinions are my own alone and do not represent any official position of my employer. - if you go too far to the east, you find yourself in the west .. - -------------------- Date: Thu, 23 Jun 88 16:15:04 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark R. Williamson" Subject: Re: Don't trust CRC as a virus-indication In-Reply-To: Message of Thu, 23 Jun 88 20:51:00 N from >Subject: CRC as a virus-indicator. > >Don't trust CRC-calculation or parity-calculations as a virus-indicator! >It is very easy to change a file or program in such a way that the CRC or >parity of the changed file remains the same. True, if the changer knows what polynomial is being used for the CRC. However, use of two or more independent polynomials should make it much more difficult. The more independent virus checkers with different polynomials there are, the harder it will be for the virus builders. Note: The above is an unverified assertion. -------------------- Date: Thu, 23 Jun 88 17:51:46 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: David Camp Subject: Re: Are Tandy 1??? vulnerable? In-Reply-To: Message of Wed, 22 Jun 88 16:11:26 EDT from >I just saw over someone's shoulder an ad for a Tandy 1000HX (I >think...) with one of the features being "MSDOS in ROM". Does anyone >know if this is done in such a way that makes the Tandy machines >invulnerable to many viruses, or does (for example) COMMAND.COM still >come off of floppy disk? If not, I would never buy such a machine. One could not take advantage of upgrades to Dos. I suppose it may allow either the Rom version or a diskette version, which would be okay. That would speed up booting (when you do not need the later versions). I wonder if all the commands on the Dos disk are in Rom too. Maybe they were just referring to the normal Rom-Bios, in which case their advertisement may be misleading. -David- > > Mark Eichin > > SIPB Member & Project Athena ``Watchmaker'' -------------------- Date: Thu, 23 Jun 88 17:38:27 PST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Tim Streater (415) 926-2743" Subject: Dos in ROM The T1000 (from Toshiba) has everything in ROM (the whole OS), as well as all the standard commands. In fact, it has a ROM-disk (the A-disk as I recall) as well that you can DIR and see all the normal files you would see when DIR-ing any standard system disk. This frees up your floppy on a one-drive machine to be all data. I think it keeps COMMAND.COM in CMOS or something. You can also boot from floppy if you really wish to. -------------------- Date: Thu, 23 Jun 88 22:53:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Woody Subject: re: Re: Don't trust CRC as a virus-indication Mark R. Williamson writes >>Subject: CRC as a virus-indicator. >> >>Don't trust CRC-calculation or parity-calculations as a virus-indicator! >>It is very easy to change a file or program in such a way that the CRC or >>parity of the changed file remains the same. > >True, if the changer knows what polynomial is being used for the CRC. >However, use of two or more independent polynomials should make it much >more difficult. The more independent virus checkers with different >polynomials there are, the harder it will be for the virus builders. > >Note: The above is an unverified assertion. This has all been hashed out once in the logs. See them for a verification. -------------------- Date: Thu, 23 Jun 88 19:45:14 PLT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Andrew Vaught <29284843@WSUVM1> Subject: Operating System in ROM The operating system in ROM? Boy, Microsoft had better get the OS right the first time, as bug fixes would be somewhat difficult. Actually, Tandy's Color Computer has a 3-Level ROM BASIC/DOS. The first level is a bare-bones BASIC interpreter, the second level adds many features to BASIC (graphics, sound, etc) and the third level adds Disk commands and file management (also in ROM). Each of these levels is another ROM to plug in. How is this possible? Bare-bones BASIC defines a whole slough of vectors in RAM that are initialized to RETurns. These vectors are placed in stategic routines (like character input/output, parsing) so that higher levels can reset these vectors to their own handlers. Another thing about the Coco is that is possible to switch off the ROM and use the RAM underneath-- this can be used to make radical changes to the operating system, or possible to use a totally different operating system like OS-9 or FLEX. Upgrading a ROM-based system is possible. The key thing that makes virus transmission difficult is the lack of bootstrapping-- the virus does not have a sure way of getting into the machine in the first place- the operator has to specifically execute the infected program. Andy -------------------- Date: Thu, 23 Jun 88 16:42:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: re: constructive viruses In-Reply-To: Message of 23 Jun 88 10:20 EDT from GREENY >as long as the virus is not harmful, and its only function in life is >to update old copies of software *AND* it requests my specific >permission before doing so, then it seems like a fantastic idea to me. Be careful what you ask for; you might get it. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Thu, 23 Jun 88 18:31:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Authentication of programs I have just received a new program from RSA Data Security, Inc. The following note was attached: TO: MAILSAFE COMMAND LINE Users FROM: RSA Data Security Inc. SUBJECT: Authentication of MSCL executable program DATE: 11 May 1988 In order to insure protection from viruses and integrity of data we have added a Digital Signature to the end of MSCL.EXE, the MAILSAFE COMMAND LINE executable program. The appended signature does not interfere in any way with the loading or execution of the MSCL program and therefore need not be removed in order to use the product. The signature was produced using the RSADATA7 private key and should be easily verifiable using the RSADATA7 public key that was included with your standard MAILSAFE product. If you are using an older version of MAILSAFE or you do not have access to this public key please contact RSA Data Security for a copy. To verify the authenticity of the MAILSAFE COMMAND LINE executable program MSCL.EXE, simply verify the appended signature using the VERIFY option in MAILSAFE COMMAND LINE or the standard MAILSAFE product. If you have not already done so, you should CERTIFY the RSADATA7 public key in order to consider the signature VALID and CERTIFIED. If, after certifying the RSADATA7 pubilc key, the signature on the end of the file MSCL.EXE is not VALID and CERTIFIED, do not use the MAILSAFE COMMAND LINE product and contact RSA Data Security Inc. for further assistance. [end of attachment] The seal is computed by encrypting the file under the Data Encryption Standard, taking the 128 bit residue and encrypting that under the private key. There has not yet been sufficient time since the big bang to find another file of that length, that will do anything at all as a program and yield the same 128 bit DES residue, much less anything in particular. While this mechanism cannot protect you from accepting a virus from a trusted source, it will permit you to know exactly where it came from. Incidentally, RSA is negotiating with some INTERNET committee to make their product standard and available on the net. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- *** end of Virus-L issue ***