Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25906; Tue, 12 Jun 90 06:49:55 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12999; Tue, 12 Jun 90 06:49:52 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04307; Tue, 12 Jun 90 06:49:40 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09789; 12 Jun 90 11:16 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:09:16 BST Message-Id: <$TGVTCZHTCBWB at UMPA> Subject: Virus-L vol 0 issue #0818 Virus-L Digest Thu, 18 Aug 88, Volume 0 : Issue #0818 Today's Topics Virus Infection Potential Beginnings reply to virus chat Limited Functionality Debate ------------------------------ Date: Thu, 18 Aug 88 00:15:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus Infection Potential David, > Doesn't the very definition of a "computer" mean that it can > perform various functions? Otherwise what would the use of > one be besides a paperweight? I have never seen a computer defined as a box that can perform various functions. A computer can do one specific function without being a paperweight. Have you ever seen a calculator? Have you seen a television? In a way, each of these is a computer and each has a specific function. What I said in my letter, paraphrasing Fred Cohen, is that if we make computers perform one specific function (like a computer to open doors for us when we approach, or a computer to cook our food in the microwave) then it does not have a serious problem with viruses. If we limit the functionality of a computer, we limit the approach, or the infectibility of a computer. Unfortunately, it also means that we may need more equipment to do something. I also never stated that government and bank computers were more infected than other computers, nor that they were more at risk of being infected. They DO however, often have the most to lose. I believe I also added a "so on" onto the end of that. What I was saying is that we have to protect our "secure systems" (I'm sure most of you have heard the term before). Viruses have been able to do what other programs cannot, they sidestep security by entering a computer by way of an authorized user who doesn't realize that he or she is carrying the virus. It doesn't matter much if a college LAN loses all its information (unless someone stores important research on that LAN), but it is critical if a large banking institution loses all its records (which happened recently), or if NASA loses the program which runs the spaceshuttle just as its blasting off. > I would hope that 1) only authorized administrators > use the computer, and 2) none of them want to kill their > bank files. This is absolutely irrelevant. Few people PURPOSELY infect their computer systems. How many of us go around injecting bad programs into our own important files? That is rediculous! When someone's disk is infected by a virus, they generally don't know it. They spread the virus to their company's files accidently, they don't realize that they are carrying something deadly to their records. Loren Keim -------------------- Date: Thu, 18 Aug 88 03:02:36 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Robert Newberry Subject: Beginnings Hello all I was wondering when the first computer virus was first descovered? Rob... ROBERT NEWBERRY = = UNIVERSITY OF AKRON = I COUNLDN'T THINK OF ANYTHING = COMPUTER CENTER = WITTY TO SAY! = AKRON OHIO 44304 USA = = -------------------- Date: Thu, 18 Aug 88 09:10:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: reply to virus chat >> Doesn't the very definition of a "computer" mean that it can >> perform various functions? Otherwise what would the use of >> one be besides a paperweight? > >I have never seen a computer defined as a box that can perform >various functions. A computer can do one specific function >without being a paperweight. Have you ever seen a calculator? >Have you seen a television? In a way, each of these is a computer >and each has a specific function. I agree that a calculator is a computer, and it can perform various functions... It CAN also have I/O lines (such as to printers or input tape or something like that.) Also, If in one of your previous messages you said that theoretically viruses can hide in between disk sectors, why can't they hide in the memory of a simple calculator... Maybe 2 + 2 *does* equal 5 on a corrupt calculator!!! Also, isn't a "computer" as we call it (like a PC or a mainframe) just a glorified calculator. The center of a computer's functioning is its ALU, and that is just the same as a calculator, just on a different scale. As for a TV being a limited function computer, so is the human body for that reason! You have input, output, conversions inbetween... I don't think resorting to a TV is a good example though of a single function computer since ANYTHING we name can be a one function computer! >What I said in my letter, paraphrasing Fred Cohen, is that >if we make computers perform one specific function (like >a computer to open doors for us when we approach, or a >computer to cook our food in the microwave) then it does >not have a serious problem with viruses. If we limit >the functionality of a computer, we limit the approach, >or the infectibility of a computer. Unfortunately, it >also means that we may need more equipment to do something. Don't we already have these things?? How about at security doors where you need to punch in a code to open the door? That is a computer there, or most microwave are digital making them computers of sort.. My point is that when we talk viruses, we usually mean "computers" on one-level deeper, but ANY one-function computer can get a virus if the correct input is applied. > They DO however, >often have the most to lose. Why do banking systems and government systems have the most to lose?? EVERYONE has a lot to lose. Any PC has a lot to use, and I would bet that the storage on PC systems totalled in the country (all kinds of media) is far greater than the banking and government systems. Also add in the universities and public areas of computers; they, too, have a *lot* to lose. >Viruses have been able to do what other programs cannot, >they sidestep security by entering a computer by way >of an authorized user who doesn't realize that he or >she is carrying the virus. While this is true and I agree with the statement, also remember that many systems crash because of inexperienced users with the authorization. I think most will agree that the person who has no idea how to use a system can do the most damage! >It doesn't matter much if a college LAN loses all its >information (unless someone stores important research >on that LAN), but it is critical if a large banking >institution loses all its records (which happened >recently), or if NASA loses the program which runs >the spaceshuttle just as its blasting off. Why do you assume that a LAN will have backup, but large banking institutions and NASA don't?? A LAN might have just as much information that changes daily, only less humans are involved when the data is corrupted. In a large banking institution, I would assume that and data corruption umbrellas down into a few hundred thousand customers. >> I would hope that 1) only authorized administrators >> use the computer, and 2) none of them want to kill their >> bank files. > >This is absolutely irrelevant. Few people PURPOSELY infect >their computer systems. How many of us go around injecting >bad programs into our own important files? That is rediculous! >When someone's disk is infected by a virus, they generally >don't know it. They spread the virus to their company's >files accidently, they don't realize that they are carrying >something deadly to their records. This is not absolutely irrelevant. A lot of time bombs (and conceivably virus-type time bombs) have been left in systems by disgruntled workers, or system programmers who want an insurance that a company will pay for the software, or as a means of assuring that the system won't be given to anyone else. If you consult the National Security of Computers (?) department under the Department of Defense, I am sure that they will have a lot of cases to share with you. David A. Bader DAB3@LEHIGH -------------------- Date: Thu, 18 Aug 88 13:27:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Limited Functionality The first computer virus, Robert, according to Fred Cohen was done at a computer security meeting in 1983. (I think it was October, but I am not 100% certain of that). However, the Navy had been working with virus-like programs for a long time before that. As one member of this list mentioned to me before, there were writings on viruses as far back as the 40's. As for Limited Functionality, since there is still a problem with it, I will define it one last time, and I will define it slowly. A virus cannot infiltrate a good computer system that is completely isolated if it does not already have one built in to the software that it came with. When I mean isolated, I mean we can use NO other software on it other than that which it came with, and have no modem, nothing connected to it. It is isolated. It has been proven over and over again... a virus cannot infect this machine, because there is no way for a virus to enter it. The government back in the 70's came up with a whole slew of ideas about isolating computers, but a computer cannot easily be completely isolated. So they came up with two alternatives: Limit the access to the machine as completely as possible, or Limit the functionality of the computer. What they meant by Limit the Functionality of the computer, later redone by Fred Cohen, was that if a computer had all its programs BUILT IN to the computer, and if it could not run an outside program, and if it had some specific function. Then there really isn't a way for a computer to enter the system. Memory is reserved for data. A special bank is for the program and that is unable to be written to. In later talks, Fred Cohen described computers which were designed for special purposes, like opening doors for people and feeding the fish. If there isn't anything connected to these computers, ie: no I/O ports and no outside access, then there really is no way for a virus to enter. Likewise, its pretty hard for a virus to propogate if it doesn't have a lot of similar connected boxes. > Don't we already have these things?? How about security > doors where you need to punch in a code to open the > door? Yes, we do. And you have just fried your own theories. You stated that viruses could propogate across single function boxes, and then you say that these boxes exist. Isn't there a security system around? Yes, there is. Have you ever seen a virus attack one? I haven't. Also, yes a single-function computer MAY be able to "get" a virus, but its not good for spreading viruses. Many single function boxes which are unlike are VERY hard to write ANY virus for. By this point, we would have made it so difficult to write a virus that one could not easily exist. > Why do banking systems and government systems have the most > to lose?? EVERYONE has a lot to lose. Again, I never said that banking systems and government systems ALONE had the most to lose. I said that it would be very dangerous for these and LIKE systems to be destroyed. If a major bank lost all its records. WE would be in trouble. Our economy may feel the damage. If the government's nuclear device-controlling computer was set off by a virus... WE would all be in trouble. This is much more serious than YOU losing a few games and a research paper for one of your professors, don't you think? > Why do you assume that a LAN will have backup, but large > banking institutions and NASA don't? Nowhere did I say anything about backup. Quit putting words in my mouth. That is wonderful to fuel an argument, but we're trying to have rational discussions, not scream at each other. Backups are, as always, important. One problem we've run across is a virus that will delete all the files on a system, but before doing this, it lies in weight for several months. When you load the last system, it destroys this as well because its after a certain date. People don't quite understand, so they load the second oldest, which they lost also. By this point they get the picture, fix the problem when they load the next time... but its too late... we've lost 2 months worth of work. Backups are NECESSARY though. Loren -------------------- Date: Thu, 18 Aug 88 14:47:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kent Cearley - UMS - 492-5262 Subject: Debate >As for Limited Functionality, since there is still a problem >with it, I will define it one last time, and I will define >it slowly. Loren, I sense some unnecessary antagonism here. Without putting words in your mouth, it appeared to me the concept of limited functionality was adequitely understood, I believe its utility as a practical solution to infection was being questioned. Certainly it follows that if a system accepts no input, and originally contains no contaminated code it will not acquire any, it really doesn't require much 'proof'. Limiting functionality would seem to simplify management of the dedicated machine, but, I believe in most instances the utility of such an arrangement would be in its interconnectivity to other specialized processors. This connectivity or network could be viewed as, and is in fact becoming, a 'virtual computer' in its own right, with all the attendent complexities of a general purpose system. Has anyone explored the concept of expert systems regulating security? Perhaps implemented like regression testing in software engineering, i.e. it familiarizes itself with the 'typical' activity of a system... quantitatively e.g. avg disk writes for program 'x', free memory, non-data sector reads/writes, maybe feature analysis techniques, suspending activity in anomalous situations: Threshold for disk writes exceeds typical average: memory map =.... continue Y or N, Attempted write to .COM or .EXE file continue Y or N, programmed in ROM and supplied as a plug in board? Who knows, just free falling to explore different directions and maybe trigger other associations. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* -------------------- *** end of Virus-L issue ***