FATQW@USU.BITNET (02/08/88)
[Yes, I'm serious!!]
I don't think we should discourage people from writing viruses, as long as they
are harmless. You have to make the distinction between a practical joke and
vandallism (sp?). I think probably SCA was meant as a practical joke, except
the authors didn't take precautions to keep it that way (i.e. it unexpectedly
turned out that it WILL destroy things). As for the new killer virus, I think
the knucklehead who wrote it deserves to get his brains bashed.
Here are my two (wow!) guidelines for virus writers:
1) Make it harmless
2) Make it easy to kill
The first one is very straight forward. When you change something (like the
boot block), make sure it's already "normal". Don't do anything to something
you don't recognize. This would have prevented SCA from turning into a killer.
As for the second guideline, yes, I know part of the fun of writing viruses
is making them "invulnerable". However, every virus should have a "weak spot"
where they can be killed easily. For example, someone might make a viruse
just to see if he can make it good enough to fool VCheck into thinking there's
no virus there. However, he should always have a "back door", so he can make
his own little virus protector. Also, if the virus is a very "good" one,
then it should have a way to kill itself off, say at a certain date, or after
a certain number of "infections". For example, a boot-block virus, as soon
as it "grabs" a boot-block, a counter is set to, say, 50. Every time that
virus propagates itself, it decrements the counter. When the counter reaches
0, it puts back the normal boot-block, but sets a certain byte to something
different, so that boot-block will never be able to be infected again.
Maybe the author of VCheck (Bill Koester, isn't it?) should, when examining
a disk, don't check the last byte or word. That way viruses or virus
protectors would set this byte to something, and the virus won't propagate
itself onto this disk.
Anyway, basically the idea is to make viruses (semi-)harmless.
Bryan
Bryan Ford //// A computer does what \\\\
Snail: 1790 East 1400 North //// you tell it to do, not \\\\
Logan, UT 84321 \\\XX/// what you want it to do. \\\XX///
Email: FATQW@USU.BITNET \XXXX/ Murphy's Law Calendar 1986 \XXXX/sean@ms.uky.edu (Sean Casey) (02/08/88)
In article <8802072054.AA03747@jade.berkeley.edu> FATQW@USU.BITNET writes: >[Yes, I'm serious!!] > >I don't think we should discourage people from writing viruses, as long as they >are harmless. You have to make the distinction between a practical joke and >vandallism (sp?). I think probably SCA was meant as a practical joke, except At the risk of appearing to be a net POWER USER... NO NO NO NO NO NO! This is a bad idea, because virus programs have the potential to crash copy protected software or *anything* with a non-standard boot block. As a matter of fact, any virus that writes to a disk at all---and what virus wouldn't---risks damaging something. In consolation, I *am* for publicizing exactly how viruses work, and any technical discussions on them. Hiding this information only invites the technically competent virus hacks to stomp all over us ignorant users. Making the information public will invite people to come up with ways to fight this particular type of software. I have never ever known of a major security bug that lasted long after it's operation was widely publicized. I guess that's where I am coming from. Sean -- -- Sean Casey sean@ms.uky.edu, sean@ukma.bitnet -- (the Empire guy) {rutgers,uunet,cbosgd}!ukma!sean -- University of Kentucky in Lexington Kentucky, USA -- "If something can go will, it wrong."
jbn@glacier.STANFORD.EDU (John B. Nagle) (02/09/88)
In article <8261@g.ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >I have never ever known of a major security bug that lasted long after >it's (sic) operation was widely publicized. I think he's right. It will cost billions to make personal computers virus-proof, and may take a whole new generation of machines, yet it will probably have to happen. Such an effort is not unprecedented. The reengineering of the AT&T Long Lines system required to make it blue-box proof was massive, took almost a decade, and cost hundreds of millions. The old system of tones on the voice circuits was replaced with a separate data network used to carry the control information between the toll offices. OS/2 is already virus-resistant to some degree, being a protected-mode operating system. When the Mac line gets memory-management units (there's a socket in the Mac II) Apple intends to go to a protected mode operating system (ref. interview with John Sculley, Computer Currents, Dec. 87.). Sun machines are already reasonably tight, running under UNIX in protected mode. DEC's VAXstations also have protection. In each case, the protection isn't perfect, but the essential parts are there and with some tightening up, each of these systems should be able to resist virus programs effectively. This leaves the Amiga out in the cold. Someone at Commodore had best be thinking very hard about this. John Nagle
ugfeldmn@sunybcs.uucp (Jon Feldman) (02/09/88)
In article <8802072054.AA03747@jade.berkeley.edu> FATQW@USU.BITNET (Bryan Ford) writes: >[Yes, I'm serious!!] >I don't think we should discourage people from writing viruses, as long as they >are harmless. You have to make the distinction between a practical joke and >vandallism (sp?). I think probably SCA was meant as a practical joke, except >the authors didn't take precautions to keep it that way (i.e. it unexpectedly >turned out that it WILL destroy things). One can't forsee all possibilities; therefore one shouldn't even start writing strangoid things like viruses. >[A lot of somewhat reasonable points deleted] >Anyway, basically the idea is to make viruses (semi-)harmless. By definition, viruses are _never_ harmless. They can be funny, but no `practical joke' is ever harmless. Hey! Any biologists out there? Look, you could design a REAL virus that hides in one's boots ??? ... nah... ;-) "A joke is Good by the proportion of Destruction and Pain it cause - Unknown > Bryan Ford //// A computer does what \\\\ >Snail: 1790 East 1400 North //// you tell it to do, not \\\\ > Logan, UT 84321 \\\XX/// what you want it to do. \\\XX/// >Email: FATQW@USU.BITNET \XXXX/ Murphy's Law Calendar 1986 \XXXX/ - Jon . . . . . . . . . . . . . . Jon Feldman InterNet: ugfeldmn@joey.cs.buffalo.edu _^--^_ uucp: {decvax,watmath,rutgers,...}!sunybcs!ugfeldmn / . . \ "Just remember, there's a big difference between kneeling down and ( \ )
papa@pollux.usc.edu (Marco Papa) (02/09/88)
In article <17301@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >In article <8261@g.ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >>I have never ever known of a major security bug that lasted long after >>it's (sic) operation was widely publicized. > > I think he's right. I thank that, too. > OS/2 is already virus-resistant to some degree, being a protected-mode >operating system. When the Mac line gets memory-management >units (there's a socket in the Mac II) Apple intends to go to a protected >mode operating system (ref. interview with John Sculley, Computer Currents, >Dec. 87.). Sun machines are already reasonably tight, running under UNIX ^^^^^^^^^^ ^^^^^ ^^^^ >in protected mode. DEC's VAXstations also have protection. In each >case, the protection isn't perfect, but the essential parts are there and ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >with some tightening up, each of these systems should be able to resist >virus programs effectively. You seem to make the equation: OS with protected mode == OS protected from viruses That is unfortunately not so. And even more with UNIX, which has been shown to be one of the WORST Operating Systems with respect to protection against viruses. Fred Cohen's "controlled virus experiments" at USC were done on UNIX systems. Fred, a PhD graduate of USC and now with the University of Cincinnati, was prominently featured last week in multi-page articles in both the Los Angeles Times and the New York Times. In his thesis he shows that even the Bell-LaPadula Secure systems are vulnerable to viruses. UNIX does not even comes close to that, and its "setuid" and UUCP features make it one of the least secure systems. Bill Landreth's viruses over the ARPAnet a few years back were done mostly on UNIX systems, connected over ARPA and LANs. NONE of the systems you have mentioned has the "essential parts" that make it secure, and NONE of them is "able to resist viruses effectively". If you need references, I'll be happy to e-mail them. -- Marco P.S.: Yes, I was part of Len Adleman's "USC seminar" mentioned in the LA and NY Times articles that spent a semester to show how easy is to break into systems.
meyers@wybbs.UUCP (John Meyers) (02/10/88)
In article <8802072054.AA03747@jade.berkeley.edu>, FATQW@USU.BITNET writes: > I don't think we should discourage people from writing viruses, as long as they > are harmless. You have to make the distinction between a practical joke and > vandallism (sp?). I think probably SCA was meant as a practical joke, except > the authors didn't take precautions to keep it that way (i.e. it unexpectedly > turned out that it WILL destroy things). As for the new killer virus, I think BOTH viruses were written to bring notoriety to the two groups who introduced them, and so far, it has. You might have found it funny to INSTALL 100+ disks, but I sure didn't. I don't find it wise to encourage ANY viruses, even if you are asking for "harmless" (used loosely in my context) ones. (Isn't that an oxymoron? Harmless virus)? > Bryan John Meyers -- __ , |John Michael Meyers -> meyers@wybbs.UUCP (_/_ / /)) _ _ _ _ | _/(//)/) / / (-'(/(-'/ ' '-,|DISHCLAIMER:Well, the one with the pizza (/""""""""""""""(_/"""""""""" | is mine, but...
darin@laic.UUCP (Darin Johnson) (02/10/88)
> OS/2 is already virus-resistant to some degree, being a protected-mode > operating system. When the Mac line gets memory-management > units (there's a socket in the Mac II) Apple intends to go to a protected > mode operating system (ref. interview with John Sculley, Computer Currents, > Dec. 87.). Why should running under protected mode help? A virus that gets read in from the boot block would presumably run in privileged mode. A protected mode would help against some trojan horses though, although someone clever can get around this easily. A protected mode would help defend the Amiga against user programs/errors but not against itself (or programs designed to defeat protected mode). > Sun machines are already reasonably tight, running under UNIX > in protected mode. DEC's VAXstations also have protection. In each > case, the protection isn't perfect, but the essential parts are there and > with some tightening up, each of these systems should be able to resist > virus programs effectively. > John Nagle UNIX machines are no less succeptible to trojan horses than any other system. Also, UNIX machines are not generally known as secure systems, although many vendors are trying to retro-fit better security. VMS is generally regarded as more secure than UNIX, yet I can think of quite a few ways to create a virus or trojan horse on VMS (recall the SPANnet virus that propogated over these "secure" machines). On occasion, I have broken in to Suns and microVaxes (in my system manager guise) and know that it is trivial for a casual user to do so (a little harder on VMS...). Also, the "Ken Thompson" virus may exist on a very large number of UNIX systems. The tightening up involved in order to make these systems secure would be to have the machine be in a restricted access area, have no network/modem connections, no outside software used, vendor software examined (source code required), etc. (assuming you trust the users :-) (I would consider my Amiga at home more secure than the machines at work) -- Darin Johnson (...ucbvax!sun!sunncal!leadsv!laic!darin) (...lll-lcc.arpa!leadsv!laic!darin) All aboard the DOOMED express!
fwp@unccvax.UUCP (Rick Pasotto) (02/10/88)
in article <8802072054.AA03747@jade.berkeley.edu+, FATQW@USU.BITNET says:
+
+ [Yes, I'm serious!!]
+
+ I don't think we should discourage people from writing viruses, as long as they
+ are harmless. You have to make the distinction between a practical joke and
+ vandallism (sp?).
. . . [deleted text] . . .
+ Anyway, basically the idea is to make viruses (semi-)harmless.
+
+ Bryan
+
+ Bryan Ford //// A computer does what \\\\
+ Snail: 1790 East 1400 North //// you tell it to do, not \\\\
+ Logan, UT 84321 \\\XX/// what you want it to do. \\\XX///
+ Email: FATQW@USU.BITNET \XXXX/ Murphy's Law Calendar 1986 \XXXX/
You miss the point entirely! A virus is an unwelcome intruder - at least in
MY computer, perhaps not in yours. What you are suggesting is no different
in principle from saying:
"Let's see if we can break into someone's house.
We won't take or harm anything. Maybe we can
leave a note saying we were here."
Perhaps you would enjoy uninvited strangers wandering around your home.
Most people wouldn't.
Rick Pasotto
mcnc!unccvax!fwpjbn@glacier.STANFORD.EDU (John B. Nagle) (02/11/88)
In article <153@laic.UUCP> darin@laic.UUCP (Darin Johnson) writes: >Why should running under protected mode help? A virus that gets read in >from the boot block would presumably run in privileged mode. A protected >mode would help against some trojan horses though, although someone clever >can get around this easily. The idea is to boot up from an uncontaminated medium and run without booting thereafter, running user programs in protected mode only. The best startup medium would be a ROM, CD or otherwise. > > > >UNIX machines are no less succeptible to trojan horses than any other >system. Also, UNIX machines are not generally known as secure systems, >although many vendors are trying to retro-fit better security. Very true. I was involved in one of the first major efforts in this direction, the 1979 Kernalized Secure Operating System, a new kernel written in Modula I for the PDP-11. It is in principle possible to make a secure system that will run UNIX programs without modifications to the applications programs. Ours was too slow to be useable for general purpose applications, although it was later used in a military application. But we could do better today. The big problem, by the way, is not making a tight kernel. It is idiot-proofing system administration with respect to security. This can be done, although at considerable cost in flexibility. John Nagle
trb@stag.UUCP ( Todd Burkey ) (02/11/88)
In article <17301@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >In article <8261@g.ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: > > I think he's right. It will cost billions to make personal computers >virus-proof, and may take a whole new generation of machines, yet it will I doubt it...although making them trojan horse proof (or Damn Fool Proof) could be very expensive. STick most everything on ROM (for OS bootup anyway) and remove the need to load bootstrap routines from disk at startup and you are most of the way there. By bootstrap routines I am talking about things that have to be run from the boot blocks as opposed to using the boot blocks just for informational purposes (i.e. FAT info). > > OS/2 is already virus-resistant to some degree, being a protected-mode >operating system. When the Mac line gets memory-management The key thing you started talking about is PERSONAL COMPUTERS. As soon as you say personal, then there is no such thing a true PROTECTED mode, since the user is probably going to be in super user mode most of the time. Even on my personal Unix box, I find myself logged in as root a fair amount of the time. The only real protection you have in having a Unix box is that you always get source when you get a program or you get the program from a very trusted source (i.e. from the vendor of your particular Unix box). If you are foolish enough to run a program obtained through unknown channels as root, you deserve whatever happens...and the original developer will be fairly easy to trace. I find it interesting that there is very little concern here in the Cities among my Amiga friends about the Virus. Some of the developers have seen it, but nobody I know of has gotten burned by them. Maybe they just keep better backups and printouts of their code. -Todd Burkey trb@stag.UUCP P.S. has anyone tried actually tracking down the original source of the virus's? I can't imagine that it would be all that impossible a task if someone at Commodore started making some phone calls. It would be something like a binary tree walkback...just because everyone has it doesn't mean you would have to talk to everyone. Then nail the person and make an example of him/her/it.
rick@svedberg.bcm.tmc.edu (Richard H. Miller) (02/16/88)
In article <8261@g.ms.uky.edu>, sean@ms.uky.edu (Sean Casey) writes: > I have never ever known of a major security bug that lasted long after > it's operation was widely publicized. I guess that's where I am coming > from. This is true for many security holes. If it is publicized, you usually can take steps to prevent it. However, if it exploits a design flaw in the system, take care in the desemination of the flaw. A fundemental flaw may NOT be easily corrected (it might require a major rewrite and/or redesign of the product in question) and thus may not be solved quickly. If the knowledge of the flaw becomes widely known, you now have an ongoing problem with no solution for many months. (or years). Richard H. Miller Email: rick@svedberg.bcm.tmc.edu Head, System Support Voice: (713)799-4511 Baylor College of Medicine US Mail: One Baylor Plaza, 302H Houston, Texas 77030
bts@sas.UUCP (Brian T. Schellenberger) (02/19/88)
This is the stupidest damn posting I've ever read in my life. Maybe I'll
go buy a MAC if people are going to use the net to solicit viruses for the
Amiga.
--
--Brian.
(Brian T. Schellenberger) ...!mcnc!rti!sas!bts
DISCLAIMER: Whereas Brian Schellenberger (hereinafter "the party of the first bishop@skat.usc.edu (Brian Bishop) (02/22/88)
In article <339@sas.UUCP> bts@sas.UUCP (Brian T. Schellenberger) writes: >This is the stupidest damn posting I've ever read in my life. Maybe I'll >go buy a MAC if people are going to use the net to solicit viruses for the >Amiga. This was the stupidest posting I have ever read in my life. If the Amiga conference is going to become a bunch of close-minded people like this, maybe I'll go buy a Timex-Sinclair. ;-) Seriously, though, I think that the original posting had a good point. If there are any potential virus authors out there (and you *know* there are some getting this feed somewhere), then it would be good to make them aware of any method to make their creations less harmful. Pretending they don't exist won't help, and I just don't buy the argument that suggestions like these will entice anybody to write a virus who wasn't going to anyway. brian bishop ---> bishop@usc-ecl.ARPA (uscvax,sdcvdef,engvax,scgvaxd,smeagol) ---> usc-skat!bishop.UUCP "You will be required to do wrong no matter where you go. It is the basic condition of life, to be required to violate your own identity. At some time, every creature that lives must do so. It is the ultimate shadow, the defeat of creation; this is the curse at work, the curse that feeds on all life. Everywhere in the universe." - Wilbur Mercer, founder of Mercerism have a nice day fnord.
dillon@CORY.BERKELEY.EDU (Matt Dillon) (02/23/88)
>in article <8802072054.AA03747@jade.berkeley.edu+, FATQW@USU.BITNET says: >+ >+ [Yes, I'm serious!!] >+ >+ I don't think we should discourage people from writing viruses, as long as they >+ are harmless. You have to make the distinction between a practical joke and >+ vandallism (sp?). Let me put my answer this way: If I ever get caught by a virus, and if I find who the author of said virus is, he can expect hell on every network I see him on for the rest of his life. -Matt
papa@pollux.usc.edu (Marco Papa) (02/24/88)
And you thought the Mac was safe? Macintosh Today has 1/4 of a page of the latest issue devoted to the "Peace virus that can be avoided by resetting the system clock". This is a short quote: "This virus will appear on many macintosh computer screens worldwide March 2. The virus originated at Montreal-based MacMag, whose publisher Richard Brandow, said the program was an idealistic effort to honor the birth of the Machintosh II computer. The virus was disseminated via Compuserve and other dial-up bulletin board systems buried in various files and unwittingly downloaded by subscribers. .. But the virus can damage some programs. At least one program, Apache Strike by Silicon Beach Software, will no work when the peace message is in the same computers system. Mac owners that don't care to receive the message, should advance their system clock to March 3, the day after the program appaerance date." -- Marco
bilbo@pnet02.cts.com (Bill Daggett) (02/25/88)
How about leaving your Macs off March 2nd - Take the day off. :-)
Bill
UUCP: {ihnp4!scgvaxd!cadovax rutgers!marque}!gryphon!pnet02!bilbo
INET: bilbo@pnet02.cts.comterry@wsccs.UUCP (terry) (03/02/88)
In article <912@unccvax.UUCP>, fwp@unccvax.UUCP (Rick Pasotto) writes: > You miss the point entirely! A virus is an unwelcome intruder - at least in > MY computer, perhaps not in yours. What you are suggesting is no different > in principle from saying: > > "Let's see if we can break into someone's house. > We won't take or harm anything. Maybe we can > leave a note saying we were here." > > Perhaps you would enjoy uninvited strangers wandering around your home. > Most people wouldn't. Perhaps you would not be vulnerable to a virus if you were to avoid getting bootable disks except through legal channels. It seems to me that the virus is spread via contaminated bootblocks, something you don't get from a reputable company (unless you count Word Perfect) if you *PAY*. If you insist on getting stuff through illegitimate channels, you are exposing yourself. By the way! Something WONDERFUL has happened! Your mail system is ALIVE! and better yet, some of your messages are infected with a virus! PS: I have a copy of a virus that came (I think) on a purchased copy of strip poker. It shows up as a non-infected disk for vcheck1.9. I will post a copy (grabbed with tracker) if there is enough interest and no objections (posting Amiga stuff is a little hard the way I have to do it). I think if vcheck1.9 had just looked at track 0 and looked for "irus", it would have found it no problem. The damn thing says "virus" right in it. (The "irus" is to avoid capitalization diffs). | Terry Lambert UUCP: ...!decvax!utah-cs!century!terry | | @ Century Software or : ...utah-cs!uplherc!sp7040!obie!wsccs!terry | | SLC, Utah | | These opinions are not my companies, but if you find them | | useful, send a $20.00 donation to Brisbane Australia... | | 'There are monkey boys in the facility. Do not be alarmed; you are secure' |
glee@cognos.uucp (Godfrey Lee) (03/02/88)
In article <7120@oberon.USC.EDU> bishop@skat.usc.edu (Brian Bishop) writes: > This was the stupidest posting I have ever read in my life. If the Amiga >conference is going to become a bunch of close-minded people like this, maybe >I'll go buy a Timex-Sinclair. ;-) > > Seriously, though, I think that the original posting had a good point. If >there are any potential virus authors out there (and you *know* there are >some getting this feed somewhere), then it would be good to make them aware >of any method to make their creations less harmful. Pretending they don't exist >won't help, and I just don't buy the argument that suggestions like these >will entice anybody to write a virus who wasn't going to anyway. Somehow, this argument grates against me. No, we should not pretend that virus writers don't exist. They do. We have seen the results. No, I don't think we should teach them how to write viruses to minimize their damage. We should teach/persuade them that viruses are bad, and they should not do it. Of course, some won't listen. Well, they won't listen to guidelines to make viruses "harmless" either. By the way, if you continue to feel a need to pamper virus writers, I wish you do go buy a Timex-Sinclair, and take all the virus writers with you! NO :-) -- Godfrey Lee P.O. Box 9707 Cognos Incorporated 3755 Riverside Dr. VOICE: (613) 738-1440 FAX: (613) 738-0002 Ottawa, Ontario UUCP: decvax!utzoo!dciem!nrcaer!cognos!glee CANADA K1G 3Z4
dave@csd1.milw.wisc.edu (David A Rasmussen,EMS E380,5133,) (03/05/88)
From article <247@wsccs.UUCP>, by terry@wsccs.UUCP (terry): > In article <912@unccvax.UUCP>, fwp@unccvax.UUCP (Rick Pasotto) writes: }} You miss the point entirely! A virus is an unwelcome intruder - at least in }} MY computer, perhaps not in yours. What you are suggesting is no different }} in principle from saying: }} }} "Let's see if we can break into someone's house. }} We won't take or harm anything. Maybe we can }} leave a note saying we were here." }} }} Perhaps you would enjoy uninvited strangers wandering around your home. }} Most people wouldn't. } } Perhaps you would not be vulnerable to a virus if you were to avoid } getting bootable disks except through legal channels. It seems to me that } the virus is spread via contaminated bootblocks, something you don't get from } a reputable company (unless you count Word Perfect) if you *PAY*. } } If you insist on getting stuff through illegitimate channels, you are } exposing yourself. } Can you say "Public domain bootable disks"? I didn't think so. People who distribute viruses should plug their amigi into the thirdrail of the nearest electric rail line... if they don't get fried maybe they'll get squashed. :-) There are better ways to protect software than with viruses. Dave Rasmussen c/o Computing Services Division @ U of WI - Milwaukee Internet: dave@csd4.milw.wisc.edu Uucp: uwvax!uwmcsd1!uwmcsd4!dave {o,o} Csnet: dave%uwmcsd4@uwm Bellnet: +1 (414) 229-5133 \u/ ICBM: 43 4 58 N/ 87 55 52 W Usnail: 3200 N Cramer #E380, Milw WI 53211