gary@sci34hub.sci.com (Gary Heston) (05/22/90)
okay@tafs.mitre.org (Okay, S J) writes: > [ ... ] So why even > bother with removable media? Why not do like a lot of people in the > UNIX community do and get it via network distribution. Networks can be infected, too, which would be regarded as a major security risk by most admins. The current children playing with forgeries in news.admin shows this, as well as the difficulty of tracking down persons causing problems. > It would seem to me that the vast majority of infections comes from > somebody sticking an infected disk in somebody elses machine and then > leaving the virus behind on their machine, or vice versa. M. Or downloading an infected piece of software from somewhere. I suppose someone could figure out how to infect a file being passed through a system, once it becomes a common, standardized practice. > [ infected game example ] > > But if they'd left the master copy on a trusted machine, like the > company mainframe and just let it be up/downloaded to/by Joe Customer, > it seems like you'd stand a lot smaller chance of spreading something > than if you moved it to a series of unsecured duplicating machines. Assuming the company wants to maintain a full library of games on their mainframe or server. In one division of this company, the senior VP put out an edict that anyone who was caught with a game program on their system would be fired. I don't think they'll provide them on a server, either. I also wouldn't want a customer directly accessing a mainframe/server either, for security reasons. They might upload something infected.... As a security matter, the ultimate master and the machine it resides on should be checked daily, or at least prior to any duplication run. It should certainly not be used for anything else, including playing games. > I'm not saying this would cure everything, but electronic distribution > would go a long way to curbing floppy exchange/swapping as a vector > for virus propa gation. If commercially distributed, shrink-wrap software were a MAJOR channel of infection, this would be the case. While some viri reportedly do get into them, I think 75-80% get spread via user's floppies, and not just games. Most of the remainder (as far as I've seen, anyway) get distributed to individual machines on networks, as a result of one user running an infected program (or uploading one) while logged on. I suspect distributed software is only a couple of percent of infection cases. > You might argue that its inconvenient and would take forever to get a > "transmission slot", but look at it this way: Most businesses usually > have to use the company's central purchasing system , which means you > won't get it for a few months anyways, so what does it matter if Oh, so you've worked here, too? :-) > you're waiting for it to show up on your doorstep or on your > harddisk???---Plus you have a single source from which the program(s) > are distributed which is a lot easier to control than trying to find > machine #1316286179, fifth aisle, third row, 5th shelf from the top. If removable media is used, it's the package on the fifth aisle, etc. because you shouldn't be copying the software off another machine to begin with. Incidentally, a similar scheme has been tried some years ago. I don't think you realize the magnitude of distribution you're talking about; there's hundreds of companies out there, with thousands of products, virtually none of which are compatible with each other beyond some low level hardware protocols. All of them will want their way, none will want competitors to have access (i.e., security will be a nightmare--this isn't public domain or shareware we're talking about) and what happens when the system has a hard crash must also be considered. > You are of course welcome to praise, flame, cut to ribbons, or > nominate for a Pulitzer anything I've said in here. When doing so, > assume that the archive/sole distribution system is trusted and is big > enough to handle a moderate user load similar to an average FTP site. > Let me know what you think, I think that on a small scale, this is already being done on networks using a central server. In that case, an admin is responsible for making certain that only clean software gets loaded, as well as educating the users in proper security and operating proceedures. As a means of commercially distributing software, it's not feasible yet, and may never be. Think about some of the lost, misrouted, and garbled articles you see on usenet. Would you want to try and send a 6MB software package thru with that risk? Would you blithly trust your (companies') system to such a package, without checking it? If you have to check it, you might as well have shrink-wrap to open. > - ---Steve > OKAY@TAFS.MITRE.ORG - -- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "I think, therefore, !PANIC! illegal protected mode access attempt Memory fault: core dumped
ingoldsb@uunet.UU.NET (Terry Ingoldsby) (05/29/90)
gary@sci34hub.sci.com (Gary Heston) writes: > okay@tafs.mitre.org (Okay, S J) writes: > > > [ ... ] So why even > > bother with removable media? Why not do like a lot of people in the > > UNIX community do and get it via network distribution. > > Networks can be infected, too, which would be regarded as a major > security risk by most admins. The current children playing with > forgeries in news.admin shows this, as well as the difficulty of > tracking down persons causing problems. I've always felt that networks are less likely to transmit viruses than floppy disks because it is more likely that the culprit will be caught. I grant that games can be played with the signatures, etc., but chances are that some sort of log files are kept by the system administrators about what came in, and when. Although difficult, in a crisis there is at least some hope that the dissemination path used by the virus can be discovered. Although not foolproof, this should act as somewhat of a deterrent to virus writers. Floppy disks are almost untraceable since they carry *no* copy history, *no* history of what machines they visited and almost no means of identifying the offender. - -- Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb
gary@sci34hub.sci.com (Gary Heston) (05/31/90)
ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) writes: > I've always felt that networks are less likely to transmit viruses > than floppy disks because it is more likely that the culprit will be > caught. I grant that games can be played with the signatures, etc., > but chances are that some sort of log files are kept by the system > administrators about what came in, and when. Although difficult, in a > crisis there is at least some hope that the dissemination path used by > the virus can be discovered. Although not foolproof, this should act > as somewhat of a deterrent to virus writers. Due to a company policy (which I disagree with), I am not able to discuss any infections which may or may not have occurred here. Consequently, if I have any real examples, I can't cite them. Networks can propagate a virus thru several avenues, particularly if the netadmin is inexperienced and hasn't quite got file protections for network executables set correctly. If user Fred logs in to a network, works a while, and runs a infected game during lunch without rebooting (whether from a local hard drive or floppy), the virus will try to infect the next program executed via the net. If user Barney, who carefully logs off during lunch, logs back in and runs the infected program, it will try to infect Barneys' local drives as well (it should have already gotten established on Freds'). Now, we have a logfile that shows Fred, Barney, and 30 other users ran this particular piece of software, at various times during the day, and probably more than once. What points to the infection source? If there are any publicly writeable areas where users can put executables, there is an even larger gaping hole an infection can enter thru. (Users like to have these types of areas.) This can be controlled somewhat by the netadmin getting the setup correct; however, this is a somewhat optomistic hope in view of the complexity of network software and the limited training new admins get (I'm trying to learn Novell right now; the company decided nobody needs to go to seminars for anything). It's difficult to track down a security hole when the boss is asking hourly "Why isn't the network up yet?". The possibility of installing infected shrink-wrap software is also a big hazard now; people who thought they were safe by prohibiting public domain or shareware aren't. I think the biggest thing that can and must be done is education. Admins need it, users need it, and managers need it. Training users to check software before they run it, scan their drive periodically, and recognize early signs of infection is necessary. Training admins to check EVERY piece of software prior to installation, no matter how many layers of plastic it was (or wasn't) wrapped in, along with safe setups. Teaching management that this really is necessary, not just a waste of resources, and you really do need that many tapes for backups. Etc. > Floppy disks are almost untraceable since they carry *no* copy history, > *no* history of what machines they visited and almost no means of > identifying the offender. True. However, the person holding it can explain why they were running the software without checking it.... > Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP > Land Information Services or > The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb Incidentally, the stated reason for the do-not-discuss policy was to prevent stock price manipulation. I still disagree, I don't think a infection report would affect a stock price more than a few cents, if at all. I didn't win the argument, though. - -- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "I think, therefore, !PANIC! illegal protected mode access attempt Memory fault: core dumped
ingoldsb@uunet.UU.NET (Terry Ingoldsby) (06/05/90)
In article <0003.9006011949.AA14516@ubu.cert.sei.cmu.edu>, gary@sci34hub.sci.co m (Gary Heston) writes: > ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) writes: > > > I've always felt that networks are less likely to transmit viruses > > than floppy disks because it is more likely that the culprit will be > > caught. I grant that games can be played with the signatures, etc., > > but chances are that some sort of log files are kept by the system > > administrators about what came in, and when. Although difficult, in a > > crisis there is at least some hope that the dissemination path used by > > the virus can be discovered. Although not foolproof, this should act > > as somewhat of a deterrent to virus writers. > .. > Networks can propagate a virus thru several avenues, particularly if > the netadmin is inexperienced and hasn't quite got file protections > for network executables set correctly. If user Fred logs in to a I freely concede this. Networks are no safer than floppies. You miss the point. > Now, we have a logfile that shows Fred, Barney, and 30 other users > ran this particular piece of software, at various times during the > day, and probably more than once. What points to the infection > source? Not *that* logfile. I'm uninterested in who runs it on the (now) infected system. What I am trying to establish is the pattern of transmission for the virus. For instance, it is of interest to know the general propogation path through the network. This can lead you back towards the site where the virus initially started. Once you get to that site, then you can try to find the user who owns the *source* code to the virus. Since we do backups at unpredictable times on our system, it would be tricky (but not impossible) for a virus writer to hide the source code. > > This can be controlled somewhat by the netadmin getting the > setup correct; however, this is a somewhat optomistic hope in > view of the complexity of network software and the limited > training new admins get (I'm trying to learn Novell right > now; the company decided nobody needs to go to seminars for > anything). It's difficult to track down a security hole when > the boss is asking hourly "Why isn't the network up yet?". Then your boss deserves what he gets. > is necessary. Training admins to check EVERY piece of software > prior to installation, no matter how many layers of plastic it > was (or wasn't) wrapped in, along with safe setups. Teaching > management that this really is necessary, not just a waste > of resources, and you really do need that many tapes for > backups. Etc. Agreed. > > > Floppy disks are almost untraceable since they carry *no* copy history, > > *no* history of what machines they visited and almost no means of > > identifying the offender. > > True. However, the person holding it can explain why they were > running the software without checking it.... Thereby punishing the victim rather than the perpetrator. This is somewhat like telling a rape victim that it was their fault for walking down an alley at night. It is true that they might be considered foolish for doing so, but they are not the party that should be held responsible for the offense. My point is not that viruses are less able to infect systems via networks than via floppy disks, but rather that the significant possibility of getting caught (say 1 chance in 5 ??) should dissuade people who otherwise have no chance of getting caught. Virus prevention has got to focus more on identifying the culprits, and less on treating the symptoms if this is ever going to occur. Networks (perhaps better networks than what we have today) are our best chance of finding violators. Sorry to be so long-winded, but I feel that this is a philosophical point that is often missed in comp.virus discussions. - -- Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb