spaf@cs.purdue.EDU (Gene Spafford) (11/17/88)
The following is posted as per the enclosed request. --spaf
I understand from our system administrator that you are collecting some
data on the recent computer virus. I am part of a student team here at
the Univ. of Utah that has put together the enclosed survey on computer
viruses, that we would like to disseminate and get responses to. We
thought that using the NEWS network would be a good way to get
responses from a wide variety of sites. Unfortunately, we don't really
have a posting program here. Can you help? We would like to post this
to the comp.sys groups, and invite responses from the readers, but can
only post to moderated groups.
Thank you very much for your time and consideration.
Yours truly,
Robert McKinnon = RBMCKINN@cc.utah.edu
COMPUTER VIRUS SURVEY
We need your opinion! Computer Viruses are becoming
painfully apparent now days. In the past month a serious
attack by a virus created by a Cornell University student
disrupted the use of over 6000 computer systems. Some
authorities have suggested that these viruses have reached
"epidemic" levels. Yet, there seems to be no clear idea
as to what should be done about them; both the viruses, and
their creators. This is where we need your opinion. What
do you think of the situation, and what do you think ought
to be done?
The National Security Agency (NSA) has suggested that by
publicizing virus attacks we give incentive to more hackers
to try their hand at writing one, and that educating the
public on viruses would only result in more "virulent strains"
being produced. They encourage repression of virus information.
Others, notably Harold Highland-editor of "Computers &
Security", have encouraged public awareness and education
on the issue, and particularly the training of systems ops
and managers in the methods of preventing, recognizing and
dealing with virus attacks.
Which approach should be followed? Let us know what
you think by sending us EMAIL through the mail address given
below. We will compile the data, and report on it later.
We can only hold this survey open for a week to 10 days, so
please respond early.
SEND RESPONSES VIA EMAIL TO: rbmckinn@cc.utah.edu
==============================================================
VIRUS SURVEY QUESTIONNAIRE
1. Occupation: with regard to your current (or most recent)
occupation, which of the following phrases best completes the
following sentence?
"In my current (or most recent) job/career I ...
a. am (was) heavily involved with computers."
b. am (was) not directly involved with computers, other
than an occasional use for word-processing, etc."
c. am (was) not really involved with computers at all."
d. may (did) not use computers, but I manage(d) a
company/office that does (did)."
e. don't (didn't) use computers, but I use(d) one at home."
2. If your answer to question 1 was "a", please pick the
title below that best defines your job: (you may select
more than one.)
a. Systems Analyst.
b. Systems/LAN manager.
c. Computer equipment purchasing agent.
d. Computer Operator.
e. Senior Programmer.
f. Junior Programmer.
g. Other. (Please describe.)
3. Which age group do you belong to:
a. 11 - 20
b. 21 - 25
c. 26 - 30
d. 31 - 35
e. 36 - 40
f. 41 - 45
g. 46 - 50
h. 51 - 55
i. 56 and over.
4. Gender? Male Female
5. Do you own a personal computer? Yes No
a. If you do, do you also own a modem? Yes No
6. Do you use any anti-virus programs? Yes No
a. If so, please list their names, cost, and describe their
effectiveness.
--------------------------------------------
A. The media has exaggerated the seriousness of the computer
virus threat.
1 --------- 2 ---------- 3 ----------- 4 ----------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
B. Since most virus programs are benign and generally are
just meant as harmless pranks, we should not be overly
concerned about them.
1 --------- 2 ---------- 3 ----------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
C. Computer viruses are a real threat to our national
security. We should take severe steps against those
who create them.
1 --------- 2 --------- 3 ---------- 4 ----------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
D. It is impossible to adequately protect a system from
infection by a virus, so it is not worth the effort
and expense of trying.
1 --------- 2 --------- 3 --------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
E. Current computer crime laws do not serve as a good
deterrant to discourage virus creators.
1 --------- 2 --------- 3 ---------- 4 ----------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
F. I believe that the existing "vaccine" programs, which
claim to "inocculate" against viruses, are effective
to about the following degee:
1 2 3 4 5
0 - 20% 20 - 40% 40 - 60% 60 - 80% 80 - 100%
Effective Effective Effective Effective Effective
G. Extremely strict laws specifically designed to punish and
deter the writing and use of virus programs should be
created and enforced without delay.
1 ----------- 2 ---------- 3 ---------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
H. I believe that the computer system I use or manage is
adequately protected against virus attack. I do not
plan any further protection.
1 ---------- 2 ---------- 3 ---------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
I. The National Security Agency has the right idea, the less
said about computer viruses, the less likely we are to
see more of them.
1 --------- 2 ---------- 3 ---------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
J. Not only should we do more to educate the public, but
every school that offers computer courses should include
a course specifically about the detection and handling of
computer viruses.
1 -------- 2 ---------- 3 ---------- 4 ----------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
K. The Cornell Student who recently messed up so many systems
recently with what he calls an "accidental" virus, should
be prosecuted to the full extent of the law.
1 -------- 2 --------- 3 ---------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
I. There is currently no single good source for information
on computer viruses. Someone should create one.
1 ---------- 2 --------- 3 ----------- 4 ---------- 5
Strongly Somewhat No Somewhat Strongly
Agree Agree Opinion Disagree Disagree
===============================================================
Finally, please tell us your war stories! If you have ever had
an experience with a virus, please tell us about it. You may
of course comment on anything else you think we ought to know.
THANK YOU VERY MUCH FOR YOUR
COOPERATION!
Robert B. McKinnon Dan Gill
Computer Science, U of U Elect. Eng., U of U
Bill Shunn Thomas Vu
Computer Science, U of U Elect. Eng., U of U
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spafarrom@aplcen.apl.jhu.edu (Ken Arromdee ) (11/18/88)
This survey seems to me to contain an awful lot of questions of the type "A, therefore B", with answers ranging from strongly agree to strongly disagree. There are, however,several possible opinions which don't fit into that range too well: Disagree with A, but agree that given A, B is right. Disagree with A, and think that even if A was true, B is not right. Agree with A, but do not think that B follows. Agree with A, and agree that B is thus a correct conclusion. The second one is obviously a "no", and the fourth a "yes". But what about the others? If one of those fits your view, should you answer agree or disagree? Not to mention the question of partial lack of knowledge (I don't know if A is true, but if A is true, I would then agree/disagree with B)... (And please, no flames that the author of the survey isn't on the net and can't read this.) -- "I don't care if you _did_ do it in a movie once, Gilligan is not breathing through that reed!" --Kenneth Arromdee (ins_akaa@jhunix.UUCP, arromdee@crabcake.cs.jhu.edu, g49i0188@jhuvm.BITNET) (not arrom@aplcen, which is my class account)
spaf@cs.purdue.edu (Gene Spafford) (11/19/88)
ADDENDUM TO OUR VIRUS SURVEY QUESTIONNAIRE
Due to time constraints, and our own oversight, our
survey was posted with several weaknesses. We hope to
correct some of these here, though some are beyond repair
at this late date.
1. The use of the term "virus". Where we refer to virus
in the survey, we were using it in the generic fashion
used by many of the newspapers and TV news reporters
in the past weeks. We were aware of their being a
distinction between "worm" and "virus", but were not
sufficiently informed to spot and correct our misuse
of the term before the survey was put on-line. We are
grateful to Eugene Spafford, and others, for providing
us with authoritative definitions on these, and have
taken steps to insure that we and others we can influence will
use the terms properly.
2. Some of our questions contained essentially two questions or
thoughts, though we treated them as one. This prompted
several to not answer these questions, or to answer both
thoughts separately. We regret the ambiguity and distortion
that these questions cause, and we only hope that in our
final report on the results we can make some clarifying
statement that will make the responses we received worth
the effort the respondents put into them.
3. Finally, and most importantly, we regret that the wording
of our survey seemed to imply that the Cornell University
student reported by the news (both TV and newspapers) as
having initiated the recent "worm" was in fact the real
and guilty person who did this. We did not intend to say
we think this student is guilty. And we would like him, if
he ever reads this, to know that we hope he can be cleared
of the deed, if he is innocent. We do believe in the
principle of "innocent until proven guilty", and we regret
having implicated him in the careless wording of our survey.
Please read in the word "allegedly" whereever appropriate in
the survey, as we certainly wish we had included it.
4. One more thing, the survey and its contents are the sole
creation of the four man team listed at the bottom of
the survey. We four alone, and particularly myself, are
the only ones who should be considered responsible for
the flaws contained therein. Any statements in the
survey, or implied meanings, should not be taken to be
the opinion of the University of Utah, or any department,
or employee of the University of Utah.
We regret any annoyance our errors
may have caused.
Robert McKinnon, in behalf of the
sponsors of the recently posted
Virus Survey Questionnaire.
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spafDave Lawrence (11/20/88)
rbmckinn@cc.utah.edu wrote (and spaf forwarded |:-) > We do believe in the > principle of "innocent until proven guilty", and we regret > having implicated him in the careless wording of our survey. Personally, I have always believed in the principles of "innocent -unless- proven guilty." I greatly dislike the implication of the more common wording which suggests that the accused person will eventually be proven guilty. Dave -- g l o r i o u sex i s t e n c e EMAIL: tale@rpitsmts.bitnet, tale%mts@rpitsgw.rpi.edu, tale@pawl.rpi.edu
tneff@dasys1.UUCP (Tom Neff) (11/22/88)
One wonders why the "four man team" doesn't simply withdraw such a superficial and STUPID survey, rather than adding an apology as addendum. Of what possible benefit could the answers be? -- Tom Neff UUCP: ...!cmcl2!phri!dasys1!tneff "None of your toys CIS: 76556,2536 MCI: TNEFF will function..." GEnie: TOMNEFF BIX: t.neff (no kidding)