padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson) (05/25/90)
Having had the opportunity to review this paper (22 pages), I find it on one hand a very complex analysis, and on the other, an overly simplistic approach to the situation. As some confusion concerning the definition of "virus" and "worm" (a worm can certainly have a trigger event), and the speed of PCs (a 12 Mhz machine is not a 12 MIPS machine) indicate, the paper is based on a few flawed assumptions. The most basic is that of Assumption #4 "The replication and infection ... is essentially a binary process" (page 3) and the basis of Equation #1 "...(infected) computers have more or less equal chance(s) of causing infection of another...". Since the extrapolated rate of increase of infections leads from this assumption, I cannot accept the rest of the math though he does make some valid points. The simple fact is that NOT all computers are equally likely to infect others. Certainly, my office unit is far less likely to infect another than that at HOMEBASE should it become infected. (Of course mine is somewhat more likely to become infected). I would suggest that at least three separate classes of computers is required: Source nodes (manufacturers and software developers), Transit nodes (bulletin boards, "open" educational and corporate PCs), and End nodes (most home and corporate units). The first two classes, while able to widely spread infections through networks and modem connections, are in the minority: 10% or 5,000,000 PCs (WAG). End nodes, while they may exhibit some binary characteristics, would do so within a relatively small domain ( <100 PCs). Additionally, viral dynamics would have to consider at least two stages: slow leaps between nodes via type 1 or type 2 systems, and rapid spread within an end node (type 3) which may follow a binary progression for a short time. Finally, once the characteristics are recognized, detection time is reduced within nodes and most nodes, lead by type 1 and 2, will develop some form of "immunity" to that strain. Thus the curve most likely will have two "knees", one at discovery by the global- expert community, and one at discovery by the local-user communities. Thus, while Dr. Tippett concludes that there will be an explosive growth in virii (I like ii better), my feeling is that while there probably will be growth, it will be containable, and that appropriate levels of response will be dictated by the importance and exposure of the systems. Padgett Peterson, Orlando, Florida, USA
padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson) (06/01/90)
Have received several inquiries following my comments concerning this paper from people wanting copies. The paper is the property of FoundationWare in Cleveland, Ohio, USA. Domestic telephone numbers are (800)722-8737 or (216)752-8181. I do not know if it is available electronically. Incidently Dr. Tippett is scheduled to be a featured speaker at the CSI conference here in Orlando 18-21 June. I believe his talk is scheduled for Monday morning - for information contact CSI @ (415)267-7666 (San Francisco) - ------------------------------ David Chess writes in response to one of my postings: >harder numbers to post eventually) that the 1813 and Stoned are "among >the front-runners", with the BB back in the pack somewhere, and the >17xx's trailing a little behind... DC While straigtening things out, could we agree on a common name for this virus. David (IBM VIRUSCAN) refers to it as the "1813", people who use John McAfee's SCAN find it referred to as the "Jerusalem-B". They are one and the same. - ------------------------------