[news.sysadmin] Harmful security measures

kdo@edsel (Ken Olum) (11/10/88)

In article <16722@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes:

>Here is some of what needs to be done: [to protect against future viruses]
>
> . . .
>
>3.  Protect home directories.
>
>4.  Eliminate unnecessary .rhosts files
>

The things that frigtens me most about this whole affair is that
people will institute a lot of harmful and poorly-thought-out security
measures.  Unprotected directories and easy rlogin allow me to get my
work done every day.  Changing this would cause me a big loss of
productivity.  I'd rather spend my time in productive and pleasant
work, even if that means I have to chase viruses and restore my system
from backups now and then.  It's like spending $100K a year on guards
because otherwise you lose $10K a year in stolen equipment.  Easy
access to other machines and files isn't just a convenience that we
can do without -- it's an important part of being able to do anything
useful.

I'm not against security.  Somebody said that it was possible to have
a security system that doesn't interfere with easy access to the
things you need.  If that's true, let's do it, but Unix certainly
isn't like that now!

					Ken Olum

P.S. Can someone tell me the difference between a worm and a virus,
and why it is important to avoid the wrong term?

spaf@cs.purdue.edu (Gene Spafford) (11/10/88)

In article <1613@edsel> kdo@lucid.com writes:
>P.S. Can someone tell me the difference between a worm and a virus,

Here's my attempt at that:

A worm is a program that can run by itself and can propagate a fully
working version of itself to other machines.

A virus is a piece of code that adds itself to other programs,
including operating systems.  It cannot run independently, but rather
requires that its "host" program be run to activate it.  As such, it
has a clear analog to biologic viruses -- those viruses are not
considered live, but they invade host cells and take them over, making
them produce new viruses.

As such, what was loosed on the Internet was clearly a worm.

The concept of a "worm" program that spreads itself from machine to
machine was first described by John Brunner in his classic science
fiction novel "The Shockwave Rider," copyrighted in 1975.  He called
these programs "tapeworms" that lived in the innards of computers and
spread themselves to other machines.  In 1979-1981, researchers at
Xerox PARC built and experimented with actual "worm" programs.  They
reported their experiences in a CACM article, "The Worm Programs --
Early Experience with a Distributed Computation."  The authors were
John F. Shoch and Jon A. Hupp, and it was published in the March 1982
issue (v. 25, #3, pp. 172-180).

The first use of the word "virus" (to my knowledge) to describe
something that infects a computer was in the science fiction short
stories about the GOD machine written by David Gerrold.  These stories
were later combined and expanded to form the book "When Harlie Was
One," copyrighted 1972.  In that book, Gerrold described a bored
artificial intelligence that was taught by an unethical scientist how
to break into other computers and infect them with a program named
VIRUS.  This program would infiltrate the system software and bog the
system down so much that it became unusable.  The scientist then
planned to sell a program named VACCINE that could cure virus and
prevent it from becoming established.  As an aside, it so happened that
noise on a phone line caused VACCINE to become mutated so that VACCINE
didn't work -- it's an entertaining book.

The term "computer virus" was first used in a formal way by Fred Cohen
of USC in his paper "Computer Viruses: Theory and Experiments"
published in 1984 in the Proceedings of the 7th National Compter
Security Conference, pp. 240-263.  He defined the term to mean a
security problem that attaches itself to other code and turns it into
something that produces viruses.

I hope these references help.  I would suggest you read them if you
have further questions.
-- 
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu	uucp:	...!{decwrl,gatech,ucbvax}!purdue!spaf