Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04496; Wed, 20 Jun 90 17:23:05 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA07051; Wed, 20 Jun 90 17:23:04 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23166; Wed, 20 Jun 90 17:22:24 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23056; 20 Jun 90 16:18 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:31:32 BST Message-Id: <$TGWGCZNQBTNV at UMPA> Subject: Virus-L vol 0 issue #1014 Virus-L Digest Fri, 14 Oct 88, Volume 0 : Issue #1014 Today's Topics How can we help, at all? OR: netiquette, again Ex-hackers (was "Re: NY Student") Hackers as security consultants Macintosh network exposure to viruses Re: Ex-hackers (was "Re: NY Student") Re: networks Move discussion on virus writers Re: Hackers as security consultants Re: networks employing ex-hackers Penalties for Hackers Re: Hackers as security consultants ------------------------------ Date: Fri, 14 Oct 88 07:07:46 EDT From: Otto Stolz +49 7531 88 2645 Subject: How can we help, at all? OR: netiquette, again [To Tom Kurke]: What sort of system are you using? McIntosh?? Unix??? MS-DOS???? Atari????? Other?????? [To everybody on this list]: Please, please, please, DO INDICATE THE SYSTEM in question in the subject fields of you contributions. Let's know, what you are gonna discuss with us! After all these dicussions, I still do not know, to which sort of systems the "Pakistani" and "Brain" viri are bound -- honestly! Can anybody tell me? [To Ken]: Same holds for VIRUS-L FILELIST, available from LISTSERV at LEHIIBM1. The NOBRAIN, FluShot+, and other programs are USELESS to everybody who doesn't know (like me) for which system they are meant -- and I reckon that is the major part of possible users of this service. I hope that helps (me and everybody in this discussion group :-) Otto -------------------- Date: Fri, 14 Oct 88 10:09:00 EDT From: "David M. Chess" Subject: Ex-hackers (was "Re: NY Student") Daniel M. Greenberg (DMG4449@RITVAX) mentions in passing: > Just in case you don't know, many past hackers work for large > corporations or the government as informants on with security Does anyone have any evidence (there I go again!) that this is really true? It's certainly "common knowledge", and it happens constantly in paperback novels, but the few actual security managers that I've mentioned the subject to have generally laughed at the idea, and indicated that an ex-cracker would be the *last* person they'd want to hire. DC -------------------- Date: Fri, 14 Oct 88 10:45:00 EDT From: EAE114@URIMVS Subject: Hackers as security consultants On the idea that hackers can and/or should be hired as security consultants: In the not-so-old days when competent computer people were hard to come by, It made sense to hire hackers to help your security effort. The extra effort to control them and the leap of faith required were made worthwhile, because of the limited pool of talent available. I do not think this is true anymore. It IS still true that hackers may be an important source of talent, IF you have the resources to control them, or a loose enough situation to prevent severe damage. If, as in most places I've been, you can't spare the effort, I'd still say that a first offence ought to result in forced restitution and a real short chain. Class this as stupidity, rather than malice. A second offence is evidence of both stupidity AND severe mental defectiveness, and ought to get a body bounced as high as you can get them. Eristic (EAE114@URIMVS) -------------------- Date: Fri, 14 Oct 88 11:05:43 EST From: Joe Simpson Subject: Macintosh network exposure to viruses The generally imprecise use of terminology in network discussion may mislead persons discussing the potential for spread of viruses on Macintosh networks. "Appletalk" is a generic name for a suite of protocols defined by Apple Computer. The suite of protocols, in and of themselves, provides very little applications level service. Useful applications are built on top of the Appletalk protocols. For example, Laser printing service and network dot matrix printing. To share data one must add additional software. Two very common products to accomplish this are AppleShare and TOPS. Using these as our models we can talk about network exposure to viral contamination. First. If a virus is written to use low level appletalk protocols directly to spread a virus from an infected host, I believe that the target machine would have to be running software beyond the low level protocol suite. Some examples would be disk sharing software or email software. We are now talking about a very sophisticated (and probably very large virus). Note that the requirement of higher level software is a premise and not an established fact. Second. A virus that interacts with disk media at the read/write block level probably cannot propagte via read/write block over the network. Again this is a premise not a verified conclusion. If one accepts these premises, network exposure to viruses falls into two classes. Class B (banal). If one is running disk or file sharing software and executes a virus vector on the local machine, then the local machine is at the same level of risk that it assumes if the executable application were resident. This statement also applies to trojans and generally buggy software and is a tribute to clean design and accurate coding of the Macintosh OS and Appletalk protocol suite. Class A (awful). The typical virus assumes a domain of addressable files (volumes only if one accepts low level read/write which I do not). If an infected host has in its domain of addressible files, a subset that is addressable by other, uninfected, clients of the network, then the network should accelerate the spread of the virus. My premise, not verified conclusion, is that many disk/file sharing applications on Appletalk are very clean implementations and present a "local disk" image to applications that avoid low level read/write. Tentative conclusions. The risk is real and must be assessed against the benefits of the network. Network administrators (and under tops individual clients) should develop a strategy to determine the scope of files that are addressable by others and the permisions granted to these persons. Obvious(?) techniques to reduce exposure. 1. Don't permit access to a system folder by other than the local machine. 2. Where practical, make executable applications read only. 3. Try to limit write access to shared domains to data files only. If any one is able to confirm or invalidate any of my premises, I would be very grateful to them. -------------------- Date: Fri, 14 Oct 88 11:17:59 PDT From: yee@AMES.ARC.NASA.GOV Subject: Re: Ex-hackers (was "Re: NY Student") In-Reply-To: Your message of Fri, 14 Oct 88 10:09:00 -0400. <8810141415.AA21283@ames.arc.nasa.gov> Lawrence Livermore National Labs employs one ex-cracker in computer security. An article about him was published in the Oakland Tribune (10/11/88). -Peter Yee, yee@ames.arc.nasa.gov, ames!yee -------------------- Date: Fri, 14 Oct 88 14:23:23 EDT From: SHERK@UMDD Subject: Re: networks In-Reply-To: Message received on Thu, 13 Oct 88 20:24:40 EDT >>None of the Mac viruses now known can actively transfer across a network >>If you run a program on a server which is infected, that program can >>infect your machine. However, if your machine is infected, it cannot >>infect the server. The program MUST be run on the target system to >>infect it. Clear? :-) >That seems strange to me. It seems that in any system, if a file is >writable, then a virus can write to it. Of course, if read-only >status can be enforced, then infection of the file can be prevented. >Thus, only if a server file is read-only, and NO code in the local >machine can write to the server, is the obove true. Any comments? | Leonard P. Levine e-mail len@evax.milw.wisc.edu | There is an important differance between network drives and local drives. To use DOS as an example, when a program wants to write to a file it calls INT 21 with subfunction 40h (Write to file or device). DOS will then determine what type of device the file is on. If the device is a network drive, DOS will hand off the request to the network software. But if the device is a local disk, DOS will call INT 26h (Absolute disk write) to write the data to disk. The (c) Brain virus called INT 26h directly, so it can't infect a network drive. This is the blessing/curse of machine dependent code! Erik Sherk, Workstation Programer, Computer Science Center. University of Maryland -------------------- Date: Fri, 14 Oct 88 15:48:44 EDT From: "Mark F. Haven" Subject: Move discussion on virus writers I suggest we move discussion on rewards and/or penalties and/or excommunication for virus writers to a more appropriate list ETHICS-L and reserve this list for matters of a more technical nature. ETHICS-L is moderated by Harry Williams (HARRY@MARIST) and is described as being to : "delineate and discuss the basic issues and hot areas in computer ethics. Topics include ownership of information, who is responsible for program failures, how much privacy is reasonable. Students are welcome to participate." The preceding was plagiarized in toto without permission from a listing on my desk from whence I know not where it came. -------------------- Date: Fri, 14 Oct 88 14:04:00 MDT From: Bernie Subject: Re: Hackers as security consultants In-Reply-To: Message of 14 Oct 88 08:45 MDT from "EAE114 at URIMVS" I don't get it. How can showing an intrest in things imply malice. Unfortunately I still believe people are not inately evil. If computer science has this Calvinistic attitude for long, we'll never see innovation or advance again. -------------------- Date: Fri, 14 Oct 88 15:37:29 CDT From: Len Levine Subject: Re: networks In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Oct 14, 88 at 2:23 pm >>Thus, only if a server file is read-only, and NO code in the local >>machine can write to the server, is the obove true. >Any comments? >There is an important differance between network drives and local >drives. To use DOS as an example, when a program wants to write to >a file it calls INT 21 with subfunction 40h (Write to file or device). >DOS will then determine what type of device the file is on. If the >device is a network drive, DOS will hand off the request to the network >software. But if the device is a local disk, DOS will call INT 26h >(Absolute disk write) to write the data to disk. > The (c) Brain virus called INT 26h directly, so it can't infect >a network drive. This is the blessing/curse of machine dependent code! >Erik Sherk Interesting, however the virus can call the same routines that the DOS server does. Thus, only if the server file is read-only AT THAT END can you be sure that a virus cannot infect the server. If code at the user end can write to the server, in any way, then a virus code can do the same. Read-only files, protected at the server end where the virus is assumed not to reside, are protected. (as an aside, we have moved the discussion from MAC to DOS here, we also are discussing what a virus can do, not what known viruses actually do. I for one am discussing potential and not existing threats.) + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Fri, 14 Oct 88 16:55:00 CDT From: Gordon Meyer Subject: employing ex-hackers To answer DC's question about ex-hackers working for large corporations or the government. Yes, I have evidence and can confirm that statement for you. However, the ones that I am aware of work as informants, not as "regular" employees. They continue to be active in the hacker's world, but they in turn supply information to the gov't or large corporations. On other matters it has been interesting to read the various "harsh punishments result in halted activity" arguments. This too seems to be a popular notion but is on shaky theoretical and empirical grounds. But then I'm a criminology graduate student so I guess I'm "into" such things. :-) Cheers! -=->G<-=- -------------------- Date: Fri, 14 Oct 88 23:42:00 EST From: ACS045@GMUVAX Subject: Penalties for Hackers "If, as in most places I've been, you can't spare the effort, I'd still say that a first offence ought to result in forced restitution and a real short chain. Class this as stupidity, rather than malice. A second offence is evidence of both stupidity AND severe mental defectiveness, and ought to get a body bounced as high as you can get them. Eristic (EAE114@URIMVS)":- sounds like most places you've been are a lot more lenient than our place over here.... We just had a nasty bit of business where a student consultant either wrote a VMS trojan .COM file or showed a user how to write a .COM file, which was then sent around the system and managed to zap a few accounts before the file was discovered. No short chain for him.....he was fired faster than a speeding bullet.. It turned out that he didn't really DO anything in terms of writing or distributing the beast, but just the mere fact that his name came up a few times in the resulting inquisition was enough to get him canned... -------------------- Date: Fri, 14 Oct 88 18:54:00 PDT From: Ed Sakabu Subject: Re: Hackers as security consultants The term "Hacker" now days has a totally different meaning than it did in the not-so-old days. The term I prefer to use for these turkeys is "cracker" not "Hacker". Well, there's my two cents. Thanks for not flaming me. --Ed "On the idea that hackers can and. or should be hired as security consultants: In the not-so-old days when competent computer people were hard to come by, It made sense to hire hackers to help your security effort. The extra effort to control them and the leap of faith required were made worthwhile, because of the limited pool of talent available. I do not think this is true anymore. It IS still true that hackers may be an important source of talent, IF you have the resources to control them, or a loose enough situation to prevent severe dammage. If, as in most places I've been, you can't spare the effort, I'd still say that a first offence ought to result in forced restitution and a real short chain. Class this as stupidity, rather than malice. A second offence is evidence of both stupidity AND severe mental defectiveness, and ought to get a body bounced as high as you can get them. Eristic (EAE114@URIMVS)". -------------------- *** end of Virus-L issue ***