Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA28114; Thu, 14 Jun 90 10:20:49 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA25088; Thu, 14 Jun 90 10:20:45 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA03080; Thu, 14 Jun 90 10:19:42 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa24850; 14 Jun 90 14:50 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Thu, 14 Jun 90 13:45:28 BST Message-Id: <$TGVTCZHTDXDZ at UMPA> Subject: Here is Virus-L vol 0 issue #0829 Virus-L Digest Mon, 29 Aug 88, Volume 0 : Issue #0829 Today's Topics Losing more than data... virus blame, p.o. boxes, and NSC CRC vs. encryption schemes Re: Who's SAFE? Re: Virus Conference ** no subject, date = Mon, 29 Aug 88 10:54:21 EDT RE: CRC vs. encryption schemes ** no subject, date = Mon, 29 Aug 88 11:17:04 EDT Re: PERFECT virus? Re: Who's SAFE? Re: SUG Re: The Adolescence of P1 Re: Softguard what is DER ? Re: The First Virus Re: More administravia ... Outline of Worm Pgms Paper in CACM ** no subject, date = Mon, 29 Aug 88 14:12:12 EST ------------------------------ Date: Mon, 29 Aug 88 09:48:00 URZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: BG0@DHDURZ2 Subject: Losing more than data... Hi folks, all of us are afraid in some sense of what viruses *can* do. Sometimes it seems as if viruses make a computer system vulnurable as never before. Although this may not be correct I think most of us have thought of the possible harm on people if a viruses hit a computer system. So many people on this list talked about the tragic of losing data and/or programs. But what is the loss of (even valuable) data compared with the death of a human being caused by an erratic computer system in a hospital? To see this is not a fiction, have a look at the following (words CAPSed by me): > COMPUTER VIRUSES > > Some time ago an INTENSIVE CARE UNIT in Glasgow found that its normally > well ordered computer network was becoming erratic: data were being > corrupted and files were being lost. Recently a general practioner who > used an IBM compatible computer for his repeat prescriptions discovered > that important files were being corrupted. In both cases a computer virus > was at work. Eventually the viruses were identified and exterminated, but > not quickly and not without the loss of data. [... definition of a computer > virus is and how it works...] > JOHN ASBURY, senior lecturer in anaesthetics, > University of Glasgow" [ British Medical Journal, No. 6643, Vol. 297, Jul.,23 1988 ] Can anybody on this list confirm this? Anyway, I think we will have some new topics for further discussions: - What mental diseases drive a programmer to design a virus that will hit a hospital computer system? - If a person is being killed by computer (re-)action caused by a virus: Is sHe (the programmer) a murderer? - How should computers be used in environments like a hospital while a secure computer system (resistant against viruses) is not available? Waiting for appropriate answers, Bernd. +-----------------------+--------------------------------------------------+ ! Bernd Fix ! EARN/BITNET: BG0@DHDURZ2 or BG0@DHDURZ1 ! ! Bergheimer Str. 105 ! UUCP: ...!{unido%pyramid}!tmpmbx!doitcr!bernd ! ! D-6900 Heidelberg ! VNET (VoiceNET): +49 6221 164196 ! +-----------------------+--------------------------------------------------+ ! ....1010101001110101101010010010101001001000100101011011101100101.... ! ! This doesn't look like a cry for help, more like a warning! ! ! ! +--------------------------------------------------------------------------+ -------------------- Date: Mon, 29 Aug 88 06:48:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: virus blame, p.o. boxes, and NSC Hopefully if person A unwittingly supplies a virus to person B, he won't be assumed guilty merely because he is a capable assembly programmer. Then burden of proof SHOULD be on the plaintiff. Knowledge of program- ming skills would be purely circumstantial (I think). Loren and everyone: I'm perhaps a bit paranoid about money, but I make it a point NEVER to send money to an unincorporated individual via a P.O. Box for something of which I have no proof or receipt. So if registering for your confer- ence must involve sending a check to your P.O. Box, I'll have to forget it. If you can provide a more reasonable method, I'd love to come. Who is the National Computer Security Center? Is this what you mean by NSC? - Jeff Ogata -------------------- Date: Mon, 29 Aug 88 14:53:09 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: CRC vs. encryption schemes Loren Keim writes: > There are >packages that have had extensive testing by the NSC I'm >told, there are packages that utilize DER encryption schemes >which is much better than trying a simple CRC. > >I would pay at least 5 times as much for a DER encryption >than for a CRC scheme. You have to realize that the value >of the product is worth what was put into it. I challenge Loren to defend the claim that a CRC scheme is inferior to an encryption scheme. But first, let's get one thing clear. Opinions on the merits of CRC differ widely, and I think this is due almost entirely to the fact that different people mean different things when they speak of CRC. For purposes of checking whether a file has been corrupted while sent over a communications line, CRC with a *standard* generating polynomial, usually the CCITT polynomial, is used. However, when a checksum (or signature) algorithm, CRC or otherwise, is used for detecting viral infections, the first requirement, in order to minimize the likelihood of forging the checksum, is that (for any given file) it should yield a *different* checksum when used by different users. In the case of the CRC algorithm, this ordinarily means that instead of using a *fixed* generator for all users, that polynomial must be chosen *personally* by each user or *random- ly* by the program when the database of checksums is first created for that user. Given satisfaction of this requirement, I challenge Loren to produce explicit reasons why a program based on a CRC algorithm is any worse, from a practical point of view, than one based on "DER" [DES?]. And similarly for anyone else who thinks the same of RSA or any other cryptographic algorithm. And if anyone can come up with such a reason, let him explain why such an algorithm is *suffi- ciently* better than CRC to justify the *much greater execution time* required. It should be pointed out that *no* checksum algorithm, no matter how sophisti- cated, will provide dependable detection of viral infection unless certain loop- holes are blocked by the program utilizing that algorithm. I know of three such loopholes and I know of only one program which satisfies the above requirement and which blocks all three loopholes. (I suspect that even Fred Cohen's RSA- based program [1] doesn't do this, and that even with his latest techniques for reducing execution time, a CRC-based program will still run considerably fas- ter.) Y. Radai Hebrew Univ. of Jerusalem [1] F. Cohen, "A Cryptographic Checksum for Integrity Protection", Computers & Security 6 (1987) 505-10. (I've been told that the source code for his program appeared in the April 1988 issue of C&S, but I have not yet seen it.) -------------------- Date: Mon, 29 Aug 88 08:13:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Who's SAFE? In-Reply-To: Message of 28 Aug 88 21:35 EDT from "Loren K Keim -- Lehigh University" I am not sure that we have the correct question here. The question is not so much "who is safe" as it is "how is safe." If viruses were hard to come by, we should not bother to have this discussion. It is a little silly to say that anyone has a proprietary right to the Lehigh virus. If people were trying to maintain their proprietary rights in viruses, there would not be a problem. The question is, how can qualified academics exchange sufficient information about the nature of specific viruses without contributing to the problem? I hope that we can agree that distributing live viruses by this network is not appropriate. Three ideas occur to me. 1) Know who you are talking to. Before sending a virus to anyone, be certain that you know who they are. They can advertise their interest (even in the network), and credentials. You can check those credentials with others. You can verify the address. 2) Carefully label the virus. Part of the problem with viruses results from the fact that they do not advertise their purpose and intent in their names and documentation. To label them is, at least partially, to disarm them. 3) Sterilize them or disarm them before sending them. The academic is interested in how the virus is designed to behave. It is useful to preserve that information. However, it is not necessary to preserve the behavior to do that. If you are able, disarm the virus before sending. If you are not, best leave the forwarding to someone who is. Simply destroy the virus. If yours is the last copy, you are a hero. If not, someone qualified to disarm it will likely see it. Others can surely add to this short list. All that having been said, I think that a demonstration is required of those who assert that this traffic is necessary. We have seen excellent expositions in this forum of all of the necessary information to deal with particular viruses. I would assert that those expositions told me everything that I needed to know, even everything that I needed to write a specific antidote, without preserving the behavior of the virus. While I acknowledge that not just anybody could have done the necessary analysis or written those expositions, and it is necessary to deliver the virus to those that can, I would hope that we can limit the traffic to the absolute minimum necessary to accomplish that. If the exposition has been done, further distribution of that virus can only be justified by morbid curiosity. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Mon, 29 Aug 88 08:15:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virus Conference In-Reply-To: Message of 28 Aug 88 21:40 EDT from "Loren K Keim -- Lehigh University" While I have watched a lot of the traffic about the conference, I must have missed the actual announcement. Please send me a copy. In the meantime, please count me in. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Mon, 29 Aug 88 10:54:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Distribution of viruses/accountability/liability Mr. Murray madr excellent points concerning the compromise of security by even the people who work as security managers. The more people who have access to the "live" viruses, the more likely that there will be a leak. Most of the security mangagers are probably themselves trustworthy (I hope. :-)) but then what each manager's computers, buildings, support staff, etc.? The potential for unintentional leaks persist; the only sure preventive is not having the viruses there period. The more people undertaking to study and develop means of countering viruses (which is definitely needed), the risks increase. Then, even with otherwise respectable people, there is always a possibilty that someone will have a "price" that will suffice to encourage them to "leak" the viruses. The price could be monetary or ideological. I have a mental scenario that illustrates this situation. Let's say that a manager of Irish-American background were approached by several "interests". Each one sought to use viruses as a weapon again their "target" computers. The manager refuses and most likely passes on information about such "offers" to security agencies, FBI, NSC, whatever. Then someone from the IRA came up and suggests the need for hitting the computers used by MI6 or the Royal Ulster Constabulary. The manager's principle MAY come under more severe test now. (This scenario is not to pick on the Irish or any particular group. Most people have a vulnerable area. Hopefully, integrety will win out. For myself, I can admit that I probably would shed little tears if a computer system used by the PLO or by a neo-Nazi group was hit by a virus. But I also realize the gigantic dangers of "firing the first salvo" inthe world.) Yes, this scenario resembles something out of a "spy thriller" but it serves as an apt warning about human weaknesses. Of course there are other factors that can encourage leaks. Greed and revenge are all time classics. The danger exists. The more like hazard still is a leak by employess, cleaning personell (yes this can happen if the systems are not well secured, burglers carting off the PC's, etc. It is even worsened when the viruses are given to newsmen. (Although my secondary job is along those lines, I agree about the dangers expressed by Loren.) There are all too many curiousity seekers out there as well; people who want a virus as a "throphy". -------------------- Date: Mon, 29 Aug 88 11:14:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: CRC vs. encryption schemes Y. Radai asks why CRC checking, given the requirement that: [The] polynomial must be chosen *personally* by each user or *random- ly* by the program when the database of checksums is first created for that user. is not as good as a DES- or RSA-based checksum. The answer is: It depends on the model you are concerned with. But before we even get to that, you CANNOT choose any old "random" polynomial - you have to choose one from an appropriate class. This is not hard to do; the theory is worked out in a paper of Rabin's, "Fingerprinting With Random Polynomials" or some such. (Sorry, I don't have the reference; it probably appeared in a STOC or FOCS 3-4 years ago.) Note that to get reasonable security, you need a moderately large polynomial, so your software implementation may not be as fast as you thought it would be. As for the model: A CRC scheme assumes that your opponent cannot see the result of applying your CRC. CRC is not (known to be) "crypto-secure": It may very well be that, given a program P and its CRC C, with an unknown polynomial, I can find another program P' with the same CRC. Note that this is a MUCH weaker condition than saying that I can determine the polynomial. In fact, the real situation may be that I cannot be CERTAIN that P' will work, but that probabilistically it's a good bet. Given a properly-constructed cryptographic checksum, such as the DES checksum, even if I can CHOSE a large sample of programs P1,...,Pn and get you to hand me their checksums, I still can't find any other program P' with the same checksum as any of the Pi's - unless I know the key you are using. Is this important? It depends on the situation. Using CRC, you can NEVER publish lists of checksums. With DES, you can do so safely. Only people to whom you have given your key will be able to do anything useful - or nasty - with the published information. It's possible construct even stronger checksums: Those which cannot be spoofed EVEN BY SOMEONE KNOWING THE KEY. This is easy to do using a technique that, unfortunately, makes the checksum as large as the information being protected: An RSA signature will do quite nicely. Whether there is a way to do this with a small checksum, I don't know. -- Jerry -------------------- Date: Mon, 29 Aug 88 11:17:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Limiting dist of viruses as protection for computer professional While there is legitimacy for a very limited distribution of viruses for study by a limited number of professional, limiting the distribu- tion of viruses, beside protecting the world in general, also protects computer professionals who might otherwise keep a virus or two around. A story from my college days when I worked on summer as a porter (translate that as a janitor) in a hospital. One day, the housekeeping staff had accidentally locked themselves out of the laundry room and the washing machine was going amok- overflowing with sudsy water. The water and suds were coming out from under the door. I offer to try to open the door using a couple of methods that I had heard of. One of the houskeepers warned me not to do it. Rather, she suggested, let the flooding continue until the hospital got a locksmith. The reason is that if I suceeded opening the door, it would be viewed that i "knew locks". So, then, if anything was stolen, if any drugs disappeared, or any equipment vanished, I would have been the prime suspect. And this was not a matter of "pikuach nefesh", of life or death. So I followed the advice. Her advice stuck with me over the years. It also applies to computer data security issues. If I kept viruses and something happend in my area of New Jersey, I could be viewed as a suspect. It has been hazardous enough for being known as an authorof articles about viruses. (One BBS sysop claimed that my text was a "virus" because his BBS crashed soon after I uploaded an ASCII file of one of my articles. Guilt by association.) So all the better not to have the "live samples" unless one is REALLY part of the solution. Addenum to previous posting of accountability.... Another problem in distributing viruses is the problem of verifying who the "security professionals" making requests are. E-mail can be deceptive. Same for letters, phone calls, etc. Face to face contact helps, but all too often there is great amount of uncertainty. This uncertainty can be reduced by further follow-up checks, but the risk in never eliminated totally. In reading about security risks elsewhere, I have come across a number of examples of "spoofs" where someone was induced to work for the KGB or other agencies by the agency presenting itself as some other group- CIA, MI5, Mossad, etc. Again, these are extreme cases. But they illustrate how often people will only do shallow checks. Incidentally, a corpate/ government letterhead is not absolute proofof "genuiness" either. One can always form a "dummy" corporation and the print shops can always prepare a letterhead of any design. There is even the danger of an employee of legitimate cancerns with their own "adgenda". It is a very complicate world out there. Again, Mr. Murray thank you. PS, Mr. Murray, I'll be getting in contact with you about the question concerning FIDONET that you asked before the Fred Cohen lecture in July. -------------------- Date: Mon, 29 Aug 88 11:53:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bob Babcock Subject: Re: PERFECT virus? In-Reply-To: USERCE57@UBCMTSG message of Sat, 27 Aug 88 12:22:30 PDT >An extra, and as yet >unidentified hidden file seems to have appeared on the hard disk and many >floppies. (This is in addition to the two MS-DOS system files and one >partitioning the hard disk.) If a disk has a volume label, CHKDSK will count that as a hidden file. Could this be the "unidentified" hidden file? -------------------- Date: Mon, 29 Aug 88 12:00:08 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken Pendell Subject: Re: Who's SAFE? In-Reply-To: Message of Sun, 28 Aug 88 21:35:21 EDT from > >If the FBI comes to me and wants complete information, I >will give them everything I can; if someone designing a >virus-fighting package comes to me, I probably will not. > >Loren > You have a much greater trust in our government than I. Ken Pendell -------------------- Date: Mon, 29 Aug 88 13:02:54 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: SUG In-Reply-To: Your message of Thu, 25 Aug 88 10:32:24 EDT I'm not sure as to when the company's going to court, but I'll keep an eye out for any reports. Any more volunteers for watching for Softguard? -------------------- Date: Mon, 29 Aug 88 13:23:45 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GARY SAMEK Subject: Re: The Adolescence of P1 In-Reply-To: Message of Sat, 27 Aug 88 20:03:00 EST from For everyone that is now looking for this book, it is now out of print. Or at least it was out of print at the beginning of this summer when I last gave a serious attempt at locating a copy of it. If anyone has any luck finding a copy of this book, I would be interested in hearing about it. I was told at a local book store that my best chance would be to look in used/traded book sections. I have looked in the local libraries for the book without any luck there either. Good Hunting. Gary Samek Bitnet C133GES@UTARLVM1 Telnet C133GES@UTARLG Arpanet C133GES@UTARLG.ARLINGTON.TEXAS.EDU -------------------- Date: Mon, 29 Aug 88 13:38:29 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Softguard In-Reply-To: Your message of Thu, 25 Aug 88 19:04:00 EST Thanks for the information that you sent and to the effort you put into it. It's been very interesting reading. Frank -------------------- Date: Mon, 29 Aug 88 22:33:57 +0300 Reply-To: gany@taurus Sender: Virus Discussion List Comments: If you have trouble reaching this host as MATH.Tau.Ac.IL Please use the old address: user@taurus.BITNET From: GANY@TAURUS Subject: what is DER ? Can someone please explain, to the fool among us (like me), WHAT IS and HOW DOES "DER" works (a short bullet proof explanation). That will make the flaming argument about CRC vs. DER much more clear to people who are not certified computer hackers (yes, ordinary people exist too !). If it was already done and i missed it, please accept my appologies. thanks Yair Gany Gany@Math.Tau.Ac.Il Tel-Aviv University -------------------- Date: Mon, 29 Aug 88 15:29:08 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: The First Virus In-Reply-To: Message of Sat, 27 Aug 88 13:26:26 EDT from >What exactly is "The Adolescence of P1"? Fact or fiction? Anyone who says that a truly intelligent program could run on a 512K MFT system is *definitely* writing fiction. Half the time you couldn't even run a STUPID program! :-) - - Joe M. -------------------- Date: Mon, 29 Aug 88 17:45:07 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth P. Russell" Subject: Re: More administravia ... In-Reply-To: Message of Wed, 24 Aug 88 10:52:00 CDT from I am getting two copies of virus mail. -------------------- Date: Mon, 29 Aug 88 22:14:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Glen Matthews Subject: Outline of Worm Pgms Paper in CACM While not wanting to help bury Loren with yet another copy of the paper "The 'Worm' Programs: Early Experiences with a Distributed Computation" (in CACM March 1982, pp.172-180), as I am sure that more than 1 copy is now winging its way there, I thought that others on this list might be interested to peruse the outline of this paper, together with an annotation or two. (Whew!) (Incidentally, John Brunner's "The Shockwave Rider" is referenced therein as well as "The Adolescense of P1" and one I hadn't heard of, "The Medusa Conspiracy" by Ethan I. Shedley.) 1 Introduction - distinguishes so-called "distributed computing" from worms - "distributed *computations*" 2 Building a Worm - worm: a computation which lives on 1 or more machines; the program on each machine is termed a "segment" 2.1 General Issues in - authors emphasize that since the worm *takes Construcing A Worm over* the host machine, any disk residing on that machine should not be written on; doing so is labelled as a "profoundly antisocial" act 2.2 Starting a Worm - on 1-st machine, worm is started as would be any other program 2.3 Locating Other - worm expands to its full complement of machines Idle Machines using *only* idle machines (say, overnight) 2.4 Booting an Idle - the architecture of the network (ethernet) Machine is such that an idle machine (running a memory diagnostic test pgm) can be requested to boot from the network, but control cannot be seized 2.5 Intra-Worm Communication: The Need for Multi-Destination Addressing - problem of co-ordinating which machines are currently still part of the worm; time-out and labelling a non-communicative segment as not part of the worm any more 2.6 Releasing Machines - memory diagnostic is re-started; noted that if segment or boot fails, the machine is effectiv- ly cut out of the network (stopped) 3 A Key Problem: - puzzling situation recounted: a small worm left Controlling a Worm running overnight resulted in a dozen machines "dead" the next morning; a corrupted copy of the worm was failing in the boot sequence; some machines were physically locked up and running the worm and thus could not be aborted; luckily, an emergency escape had been included within the worm, so that it could be shut down; "...unfortunately, the embarassing results were left for all to see: 100 dead machines scatter- ed around the building..." 4 Applications Using the Worms 4.1 The Existential Worm - this program simply stayed alive 4.2 The Billboard Worm - distributed a "cartoon of the day" 4.3 The Alarm Clock Worm - used to signal a user at a later time; not dependant upon a single machine; would dial up user's telephone!!! 4.4 Multimachine Animation - a single controlling node using other Using a Worm machines to multi-process the graphics problem at hand, generating animation effects 4.5 A Diagnostic Worm for - testing pair-wise communication error the Ethernet rates for networks of 120 machines, using a single controlling node 5 Some History: Multi-Machine - routing algorithm (IMPs); McRoss; Programs on the ARPANET the "Creeper"; "much of this work, however, was done in the early '70s" 6 Conclusions Although "worms" sound as nefarious as viruses I would suggest that they are something completely different. For one thing, the computing environment required is different than that in which viruses are being found today. For another, far from having an "infection" it sounds as though worms will need to utilise network calls to install themselves. This implies a far greater measure of control over the resources that a worm would be able to command. Anyway, this hopefully will encourage those interested to truck on down to the library for this article. Glen Matthews -------------------- Date: Mon, 29 Aug 88 14:12:12 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GUYDOSRM@SNYPLABA With regard to sending a virus for study... I presume that the terms sterilize, disable, kill, destroy, etc., may not be synonyms. What's the difference, if any? Are there any more-or-less agreed on definitions? Ray Guydosh - State Univ of NY @ Plattsburgh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -------------------- *** end of Virus-L issue ***