Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA26008; Tue, 12 Jun 90 07:17:43 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA13106; Tue, 12 Jun 90 07:17:40 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA04505; Tue, 12 Jun 90 07:17:27 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa10595; 12 Jun 90 11:34 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu>
Date:         Tue, 12 Jun 90 11:11:28 BST 
Message-Id:   <$TGVTCZHTCBWX at UMPA>
Subject:      Virus-L vol 0 issue #0828



Virus-L Digest Sun, 28 Aug 88, Volume 0 : Issue #0828

Today's Topics

Virus Law
Who's SAFE?
Virus Conference
Computer Virus and Security Papers
Conference Notes

------------------------------

Date:         Sun, 28 Aug 88 19:04:29 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         David.Slonosky@QUEENSU.CA
Subject:      Virus Law

I have a hypothetical legal question. Suppose User A has the perfect
program on a disk, a easily used and fast DOS shell/notepad/modem program/
data base/word processor/spreadsheet/coffee maker... Unknowst to user A,
a virus has become embedded in the boot track of his/her copy of the
disk. User B, desirous of obtaining user A's program, copies files from
this disk and begins using it. 2 weeks later, B's hard drive is trashed,
along with valuable information.

Questions:

1) Is A legally to blame?

2) How does A prove his/her innocence in the matter if it is
   known that A is a capable assembly language programmer?

3) Does this scenario change if A is a large software manufacturer?
   If B is a large corporation who receives infected files from
   another corporation and has an entire set of confidential data
   corrupted?

4) Are BBS SYSOPS responsible for any malicous software which is
   downloaded from their boards?

I just thought of these in the shower last night. I don't know
how many CPU lawyers there are out there, but I hope that these
are relevant questions.

David Slonosky/QueensU/CA,"",CA       |         Know thyself?            |
<SLONOSKY@QUCDN>                      |  If I knew myself, I'd run away. |

--------------------

Date:         Sun, 28 Aug 88 21:35:21 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Loren K Keim   -- Lehigh University <LKK0@LEHIGH>
Subject:      Who's SAFE?

Well,

I've had quite a few questions (alright, I've had a truckload
of questions) on who can receive viruses, who is alright to
have copies, etc etc etc.  I can't tell you precisely who
may or may not receive anything, unfortunately.  Generally
its played by ear.  There are several groups and institutions
dedicated to computer security which are recognized by the
computing society to be reasonably safe.  As William Murray
pointed out sometime this weekend, in the study of
security threats, we all end up compromising to some
extent in order to observe something.

Fred Cohen is a member of the Foundation for Computer Integrity
Research, Joseph Beckman is an employee of the National Computer
Security Center, the FBI has people investigating computer virus
propogation, Maria Pozzo has worked on creation of B2 security
systems and has studied Viruses under grants from IBM if memory
serves, I am independent and have been called upon several times
to work on security problems or virus containment.

All of these people are relatively "safe".

FoundationWare of Ohio claims that the only rightful holders
of the Lehigh Virus include the federal government, Lehigh,
and them (that is on memory, I believe I am correct in
that statement).  Yet I have run across several companies
with copies of the program as well as several newsmen with
copies (NEVER give viruses to newsmen!!!)

I spoke at length to someone a while back who identified himself
as working for the NSC.  He told me that I could continue
research on specific viruses if I had worked on them for some
institution.  He told me, however, that NO ONE was to get a
copy of the Lehigh Virus (interesting puzzle).

Joe Beckman:

> As an employee of the National Computer Security Center, I must
> point out that we do *NOT* attempt to track perpetrators for
> prosecution or for *ANY* other reason!

> We are not a law enforcement Agency, and are prohibited by law
> to take any such action.

Who is authorized to have viruses, I asked the man from the
NSC.  He said that it was very hard to say who may have what
at what time.  He said that the matter was a national security
threat and that viruses should not be handled by any more
people than those that are treating the problem, and even
then it should be reported.  He failed to tell me where
I could report it.

So who is authorized to handle viruses?  Am I?  Is
William Murray? Is anyone?  Does it matter what qualifications
we have, or how many security problems we have solved in
the past, or any work we may have done that was related
to the problem?  I really don't know.

If I am asked to help with a viral problem or infection at
some university, corportation, government office and so
on, I will continue to appear, and I will continue
to work on such problems and will continue to design security
systems for companies and research facilities.

If the FBI comes to me and wants complete information, I
will give them everything I can; if someone designing a
virus-fighting package comes to me, I probably will not.

Its a question I can't easily answer.  I've spoken
at length with people before about particular viruses.
I've gone over code with other people of some viruses and
I've played with some viruses with others who have spent
a great deal of time studying viruses and security threats.

Loren

--------------------

Date:         Sun, 28 Aug 88 21:40:04 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Loren K Keim   -- Lehigh University <LKK0@LEHIGH>
Subject:      Virus Conference

The Conference seems to be going well.  I have a lot of letters
to reply to on the subject, and haven't had time, so hold on
and I'll get to them.

Please try to submit your reservation to me as soon as possible
for the conference so I can make sure we'll have enough people
coming to cover expenses.  Remember to send it to:

Virus Conference
c/o Loren Keim
P.O. Box 2423
Lehigh Valley, Pa. 18001

Include your name, company/college name, position, and any
information you might feel is pertinant.

Thanks,

Loren Keim

--------------------

Date:         Sun, 28 Aug 88 21:49:57 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Loren K Keim   -- Lehigh University <LKK0@LEHIGH>
Subject:      Computer Virus and Security Papers

In accordance with so many requests for a list of virus
articles, I'll write some down which were fairly good:

Fred Cohen, "Computer Viruses", Proceedings of the 7th
DOD/NBS Computer Security Conference, Sep 1984, p 240-263.

K.J. Biba, "Integrity Considerations for Secure Computer
Systems, MITRE Technical Report, MTR-3153, June 1975.

M.M Pozzo "Managing Exposure to Potentially Malicious Programs",
Proceedings of the 9th National Computer Security Conference, Sep
1986.

M.M Pozzo "An Approach to Containing Computer Viruses", Computers
and Security 6 (1987), p 321-331.

Some people may also look for:

A.D. Dewdney "Computer Recreations", Scientific American, May 1984,
pp 14-22.  (Corewars Game)

D.E. Denning, "Cryptography and Data Security".  Addison Wessley
Pub, Reading Ma.  1982.

Fred Cohen "Computer Viruses - Theories and Experiments", Computers
and Security 6 (1987) pp. 22-35.

D.E Bell and L.J. LaPadula "Secure Computer System: Unified
Exposition and Multics Interpretation"  MITRE
Technical Report, MTR-2997, July 1975.

Also,  one that I haven't had any luck tracking down yet
- -

Shoch, J.F. and Hupp, J.A. "The Worm Programs" Communications
of the ACM 25, 3 (March 1982) 172-180.

If anyone sees this last one, can they please forward me a
copy of it?

Loren Keim

--------------------

Date:         Sun, 28 Aug 88 23:23:59 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Loren K Keim   -- Lehigh University <LKK0@LEHIGH>
Subject:      Conference Notes

Sorry to keep cluttering up your mailboxes!

To answer some questions, what I said about the conference
a few hours ago probably didn't come out quite right.  What
I meant was that I have received approx 15 registrations
for the conference.   In addition, I have received over
60 e-mailed letters telling me that people are coming, but
I haven't yet received any notes from them/checks from
them.   We have a total of almost 400 people who have
either requested more information, or have stated that they
have collegues, friends and associates who might like
to attend.

I am waiting till we receive a total of about 50 notes
to the P.O. box before I send out information about Hotels
and so on.   Although I'm quite certain we'll have a large
number of professionals show up for the conference, I'd
like to make certain we are covered.

So please don't wait to send in a note to me telling me
that you are coming (I know, I'm slow at doing things as
well), send something off to me as soon as possible.

Looks like we have two panel discussions with a total
of 7 people speaking set up so far.  We're still trying
to get hold of a few more people.   We have a great
bunch of people coming so far from a wide range of
the computer communittee.  Please join us.

Loren Keim

(For those who missed it twice before:

PO Box 2423
Lehigh Valley Pa.  18001
)


--------------------

*** end of Virus-L issue ***