VIRUS-L Digest Thursday, 8 Dec 1988 Volume 1 : Issue 39 Today's Topics: RE: CERT organization General Macintosh virus query re: $95 million cost of Internet Worm Spinrite (PC) Bursting "HUNT, DOUG" Subject: RE: CERT organization The CERT organization is not a single "team" of individuals, but rather a network of the best and drightest "hackers" or wizards as DARPA calls them at the colleges, universities and research institutions which compose the ARPANet. These folks are intended to be on call in the case of an emergency and coordinated through various local points where communication and processing resources can be amde available even if the NET goes down. In a sense it is formalizing (but not too much) the actual ad hoc activity that occurred around the last event. It also adds resources and what not to support the activity and ensure that there are reliable channels of communication and coordination for the ARPAnet and Internet users. IT is focused on the Unix users community and is actually coordinated out of SEI. It is not truly a DoD activity although it has been organized and supported by the DARPA folks. ery Hello, I am an Academic Programmer at the University of Akron, Ohio. I am interested in obtaining more information about viruses and the Macintosh. I know that this is a fairly general request -- but I don't have any specific questions. We have experienced viruses on the Macintosh, but have not been able to detect what they are nor do we have any vaccines for them. So I would like any and all information relating to viruses and vaccines that are available. I would guess that there are several vaccines available as public domain and I would like information about them. However, I have a user who would like to purchase a vaccine (to insure integrity, etc.) so if anyone has any information about vaccines available for purchase I would like that also. I am not on this list so any reponses can be sent to my E-Mail address: DUBOSE@AKRONVM Thank you, Kathy DuBose The University of Akron ------------------------------ Date: Thu, 8 Dec 88 10:05:84) quotes an estimate from USA TODAY saying that the cost of the incident exceeds $95 million. "This is based on 6200 computer affected, requiring 12 programmers at each site to spend 36 hours each (at $22 per hour) checking out every system that might have been affected, and adding in lost computer time (16 hours per system at $372 per hour). However, even if this figure substantially overstates the case, there is no doubt that the true costs were indeed in the millions of dollars." ...End Quote Like many others, when I read this I pulled out my calculator to check how they combined those numbers (ie how many computers are they assuming per "site"?). Sure enough, $95 million comes from assuming one computer per site. I think that's nonsense. I'll bet the average is AT LEAST ten computers per site. We're pretty small potatoes here and we had something like fourty computers get hit. That means in order to keep up with the Jones'es, we should have thrown 12x40 = 480 programmers at the problem. You should not be surprised to say that we managed to handle the incident with less than one dozen programmers total. Computers and programming does not scale in the normal manner. Chances are, as the number of computers at a site went up, the number of programmers required per machine went down nearly exponentially (if you only have three machines, you probably have no idea about how they are connected, but if you have 200, you know EXACTLY how every one is connected to every other). If we re-do the NCSC's calculation assuming 10 machines per site and 12 programmers per site, we get a cost of only $40 million. If we then note that the widely quoted 6000 machine number originated in a press conference at MIT where somebody (Jeff Schiller?) made a complete guess, then we have to wonder about the 6200 number (6000 +200 to give it an extra significant digit?). I've heard much smaller numbers sugested by others (such as three thousand). That would pull the cost down to more like $20 million. I don't mean to imply that my number is any better than theirs, but if somebody gives you some numbers and then draws a conclusion from them, you have an obligation to see if their conclusion agrees with their numbers, and I think in this case that the answer is that it doesn't. One computer does not a site make. Sorry about that... my two sentence flame seems to have gotten a little out of hand. thanks for staying with me... - Don Alvarez + ----------------------------------------------------------- + | Don Alvarez MIT Center For Space Research | | boomer@SPACE.MIT.EDU 77 Massachusetts Ave 37-618 | | (617) 253-7457 Cambridge, MA 02139 | + ----------------------------------------------------------- + ------------------------------ Date: Thu, 8 Dec 88 11:00:58 CDT From: Len Levine Subject: Spinrite (PC) >From: 3ZLUFUR@CMUVM >Subject: Low level format (PC) > >In v. l:31, H. Smith asks about reformatting hard disks. I'm not a >tekkie, but I assume SpinRite will do the job. It is advertised >mainly as a way to low level format hard disks while leaving all data >in place. > >It is put out by Gibson Research Corp (Box 6024, Irvine, CA 92716) and >I think my copy was about $60. This is the Gibson that writes a >column for Inforworld. I use it regularly. Spinrite will NOT clean out viruses that have been written to your disk, it will very carefully remove them, reformat the disk, and then replace them, just like it does with any other code. It will, however, "fix" bad blocks that a virus has used to secrete stuff, and make them available to the disk again. No, if you want to truly clean out any stuff on the disk, a true low level reformat with all stuff deleted is the only way. As stated earlier in this newsletter, low level formatting is nuclear warfare against a virus. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: Thu, 8 Dec 88 13:14 EST From: "SysOp: HelpLine BBS (703) 269-4802" Subject: Bursting Digests for VAX/VMS? Although I do like the new digest format, when I want to forward one message from a digest to someone I have to extract it from mail, and then edit out the particular message. Does anyone know of a way to burst the digest into individual messages? Our system is a VAX. Thanks! Chip Whiteside STU_CWHITES@JMUVAX1 [Ed. GNU EMACS is available for VMS machines (we have it running on ours), and it does have an undigestifer. However, it's undigestifer is meant to work with standard Unix RMAIL files, and it may take some work to get it to work in VMS. Anyone out there have any better solutions for VMS machines? How about others, like IBM VM/CMS?] ------------------------------ Date: Thu, 08 Dec 88 14:33:26 EST From: "Christian J. Haller" Subject: Re: Cost of the RTM worm >The Computenewsletter (#84) quotes an estimate >from USA TODAY saying that the cost of the incident exceeds >$95 million. > "This is based on 6200 computer affected, requiring 12 programmers at > each site to spend 36 hours each (at $22 per hour) checking out every > system that might have been affected, and adding in lost computer > time (16 hours per system at $372 per hour). However, even if this > figure substantially overstates the case, there is no doubt that the > true costs were indeed in the millions of dollars." - --------------------- I heard a reporter called somebody at UC Berkeley and asked how many computers they had (around 1000) and what percentage were affected (around 10%), and then blindly applied this percentage (for a highly networked campus) to the number of computers on the Internet. The real percentage is probably much lower. Also, what is this about 12 programmers at each site spending 36 hours each at $22. per hour? Most of the computers I know aboey, either. These estimates seem like the most hoked-up, self serving bull!**! The commercial sources of them should be ashamed. - -Chris Haller, Cornell University Disclaimer: My opinions are independent of any official positions of my employer. And I don't know RTM. And maybe he didn't even do it. Acknowledge-To: ------------------------------ Date: Thu, 8 Dec 88 14:55:10 EST From: Don Alvarez Subject: re: CERT/SWAT teams Conventional SWAT teams are effective because the law enforcement community has been able to identify a relatively small number of basic scenarios which cover 95% of the crimes they need to respond to. The SWAT teams are then able to drill the heck out of those scenarios (hostage-taking, bank-robbery, etc.). When they move in, the SWAT team has the advantage of already having been under fire, and of having practiced against exactly the scenario in question. The cand is not well understood. People don't understand network vulnerability well enough to develope the same sorts of detailed scenarios that the guns and bombs guys use. Even worse, the possible responses to computer crime are fairly limited and easy to predict, so in this case the criminal has the advantage of a relatively inexperienced adversary with a limited set of options -- exactly the reverse of the case that the SWAT team relies on. The other advantage that a SWAT team has is detailed knowledge of their comrades strengths and weaknesses. There does not need to be any discussion as to who will handle a given task: the choice is always obvious in a well prepared team. This IS something that a CERT-type team could work on. Another advantage of a SWAT team is that it can mobilize in a hurry and has good communications facilities. This is another thing which a CERT team could use to its advantage. One you were on the same side. Basically, in my opinion a CERT team would basically be an exercise in group dynamics, collecting and organizing a group of people who through the course of their everyday work have acquired the requisite knowledge to attack the problem. If done proberly, this could be extremely effective. If done improperly, it could actually reduce your ability to respond because one would place too much trust in the capabilities of the members of the team. It all boils down to who is on the team and how you handle them. Even a single piece of paper with names and phone numbers on it could make an incredible difference. It would not, however, be a SWAT team. There are a lot of people in the military who spend their time studying group dynamics. If you can find someone who understands both group dynamics and computer crime, and bring them into the picture, then you have the possibility of turni- Don Alvarez + ----------------------------------------------------------- + | Don Alvarez MIT Center For Space Research | | boomer@SPACE.MIT.EDU 77 Massachusetts Ave 37-618 | | (617) 253-7457 Cambridge, MA 02139 | + ----------------------------------------------------------- + ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253