========================================================================= Date: Mon, 29 Aug 88 09:48:00 URZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: BG0@DHDURZ2 Subject: Losing more than data... Hi folks, all of us are afraid in some sense of what viruses *can* do. Sometimes it seems as if viruses make a computer system vulnurable as never before. Although this may not be correct I think most of us have thought of the possible harm on people if a viruses hit a computer system. So many people on this list talked about the tragic of losing data and/or programs. But what is the loss of (even valuable) data compared with the death of a human being caused by an erratic computer system in a hospital? To see this is not a fiction, have a look at the following (words CAPSed by me): > COMPUTER VIRUSES > > Some time ago an INTENSIVE CARE UNIT in Glasgow found that its normally > well ordered computer network was becoming erratic: data were being > corrupted and files were being lost. Recently a general practioner who > used an IBM compatible computer for his repeat prescriptions discovered > that important files were being corrupted. In both cases a computer virus > was at work. Eventually the viruses were identified and exterminated, but > not quickly and not without the loss of data. [... definition of a computer > virus is and how it works...] > JOHN ASBURY, senior lecturer in anaesthetics, > University of Glasgow" [ British Medical Journal, No. 6643, Vol. 297, Jul.,23 1988 ] Can anybody on this list confirm this? Anyway, I think we will have some new topics for further discussions: - What mental diseases drive a programmer to design a virus that will hit a hospital computer system? - If a person is being killed by computer (re-)action caused by a virus: Is sHe (the programmer) a murderer? - How should computers be used in environments like a hospital while a secure computer system (resistant against viruses) is not available? Waiting for appropriate answers, Bernd. +-----------------------+--------------------------------------------------+ ! Bernd Fix ! EARN/BITNET: BG0@DHDURZ2 or BG0@DHDURZ1 ! ! Bergheimer Str. 105 ! UUCP: ...!{unido:pyramid}!tmpmbx!doitcr!bernd ! ! D-6900 Heidelberg ! VNET (VoiceNET): +49 6221 164196 ! +-----------------------+--------------------------------------------------+ ! ....1010101001110101101010010010101001001000100101011011101100101.... ! ! This doesn't look like a cry for help, more like a warning! ! ! ! +--------------------------------------------------------------------------+ ========================================================================= Date: Mon, 29 Aug 88 06:48:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: virus blame, p.o. boxes, and NSC Hopefully if person A unwittingly supplies a virus to person B, he won't be assumed guilty merely because he is a capable assembly programmer. Then burden of proof SHOULD be on the plaintiff. Knowledge of program- ming skills would be purely circumstantial (I think). Loren and everyone: I'm perhaps a bit paranoid about money, but I make it a point NEVER to send money to an unincorporated individual via a P.O. Box for something of which I have no proof or receipt. So if registering for your confer- ence must involve sending a check to your P.O. Box, I'll have to forget it. If you can provide a more reasonable method, I'd love to come. Who is the National Computer Security Center? Is this what you mean by NSC? - Jeff Ogata ========================================================================= Date: Mon, 29 Aug 88 14:53:09 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: CRC vs. encryption schemes Loren Keim writes: > There are >packages that have had extensive testing by the NSC I'm >told, there are packages that utilize DER encryption schemes >which is much better than trying a simple CRC. > >I would pay at least 5 times as much for a DER encryption >than for a CRC scheme. You have to realize that the value >of the product is worth what was put into it. I challenge Loren to defend the claim that a CRC scheme is inferior to an encryption scheme. But first, let's get one thing clear. Opinions on the merits of CRC differ widely, and I think this is due almost entirely to the fact that different people mean different things when they speak of CRC. For purposes of checking whether a file has been corrupted while sent over a communications line, CRC with a *standard* generating polynomial, usually the CCITT polynomial, is used. However, when a checksum (or signature) algorithm, CRC or otherwise, is used for detecting viral infections, the first requirement, in order to minimize the likelihood of forging the checksum, is that (for any given file) it should yield a *different* checksum when used by different users. In the case of the CRC algorithm, this ordinarily means that instead of using a *fixed* generator for all users, that polynomial must be chosen *personally* by each user or *random- ly* by the program when the database of checksums is first created for that user. Given satisfaction of this requirement, I challenge Loren to produce explicit reasons why a program based on a CRC algorithm is any worse, from a practical point of view, than one based on "DER" [DES?]. And similarly for anyone else who thinks the same of RSA or any other cryptographic algorithm. And if anyone can come up with such a reason, let him explain why such an algorithm is *suffi- ciently* better than CRC to justify the *much greater execution time* required. It should be pointed out that *no* checksum algorithm, no matter how sophisti- cated, will provide dependable detection of viral infection unless certain loop- holes are blocked by the program utilizing that algorithm. I know of three such loopholes and I know of only one program which satisfies the above requirement and which blocks all three loopholes. (I suspect that even Fred Cohen's RSA- based program [1] doesn't do this, and that even with his latest techniques for reducing execution time, a CRC-based program will still run considerably fas- ter.) Y. Radai Hebrew Univ. of Jerusalem [1] F. Cohen, "A Cryptographic Checksum for Integrity Protection", Computers & Security 6 (1987) 505-10. (I've been told that the source code for his program appeared in the April 1988 issue of C&S, but I have not yet seen it.) ========================================================================= Date: Mon, 29 Aug 88 08:13:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Who's SAFE? In-Reply-To: Message of 28 Aug 88 21:35 EDT from "Loren K Keim -- Lehigh University" I am not sure that we have the correct question here. The question is not so much "who is safe" as it is "how is safe." If viruses were hard to come by, we should not bother to have this discussion. It is a little silly to say that anyone has a proprietary right to the Lehigh virus. If people were trying to maintain their proprietary rights in viruses, there would not be a problem. The question is, how can qualified academics exchange sufficient information about the nature of specific viruses without contributing to the problem? I hope that we can agree that distributing live viruses by this network is not appropriate. Three ideas occur to me. 1) Know who you are talking to. Before sending a virus to anyone, be certain that you know who they are. They can advertise their interest (even in the network), and credentials. You can check those credentials with others. You can verify the address. 2) Carefully label the virus. Part of the problem with viruses results from the fact that they do not advertise their purpose and intent in their names and documentation. To label them is, at least partially, to disarm them. 3) Sterilize them or disarm them before sending them. The academic is interested in how the virus is designed to behave. It is useful to preserve that information. However, it is not necessary to preserve the behavior to do that. If you are able, disarm the virus before sending. If you are not, best leave the forwarding to someone who is. Simply destroy the virus. If yours is the last copy, you are a hero. If not, someone qualified to disarm it will likely see it. Others can surely add to this short list. All that having been said, I think that a demonstration is required of those who assert that this traffic is necessary. We have seen excellent expositions in this forum of all of the necessary information to deal with particular viruses. I would assert that those expositions told me everything that I needed to know, even everything that I needed to write a specific antidote, without preserving the behavior of the virus. While I acknowledge that not just anybody could have done the necessary analysis or written those expositions, and it is necessary to deliver the virus to those that can, I would hope that we can limit the traffic to the absolute minimum necessary to accomplish that. If the exposition has been done, further distribution of that virus can only be justified by morbid curiosity. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 29 Aug 88 08:15:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virus Conference In-Reply-To: Message of 28 Aug 88 21:40 EDT from "Loren K Keim -- Lehigh University" While I have watched a lot of the traffic about the conference, I must have missed the actual announcement. Please send me a copy. In the meantime, please count me in. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 29 Aug 88 10:54:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Distribution of viruses/accountability/liability Mr. Murray madr excellent points concerning the compromise of security by even the people who work as security managers. The more people who have access to the "live" viruses, the more likely that there will be a leak. Most of the security mangagers are probably themselves trustworthy (I hope. :-)) but then what each manager's computers, buildings, support staff, etc.? The potential for unintentional leaks persist; the only sure preventive is not having the viruses there period. The more people undertaking to study and develop means of countering viruses (which is definitely needed), the risks increase. Then, even with otherwise respectable people, there is always a possibilty that someone will have a "price" that will suffice to encourage them to "leak" the viruses. The price could be monetary or ideological. I have a mental scenario that illustrates this situation. Let's say that a manager of Irish-American background were approached by several "interests". Each one sought to use viruses as a weapon again their "target" computers. The manager refuses and most likely passes on information about such "offers" to security agencies, FBI, NSC, whatever. Then someone from the IRA came up and suggests the need for hitting the computers used by MI6 or the Royal Ulster Constabulary. The manager's principle MAY come under more severe test now. (This scenario is not to pick on the Irish or any particular group. Most people have a vulnerable area. Hopefully, integrety will win out. For myself, I can admit that I probably would shed little tears if a computer system used by the PLO or by a neo-Nazi group was hit by a virus. But I also realize the gigantic dangers of "firing the first salvo" inthe world.) Yes, this scenario resembles something out of a "spy thriller" but it serves as an apt warning about human weaknesses. Of course there are other factors that can encourage leaks. Greed and revenge are all time classics. The danger exists. The more like hazard still is a leak by employess, cleaning personell (yes this can happen if the systems are not well secured, burglers carting off the PC's, etc. It is even worsened when the viruses are given to newsmen. (Although my secondary job is along those lines, I agree about the dangers expressed by Loren.) There are all too many curiousity seekers out there as well; people who want a virus as a "throphy". ========================================================================= Date: Mon, 29 Aug 88 11:14:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: CRC vs. encryption schemes Y. Radai asks why CRC checking, given the requirement that: [The] polynomial must be chosen *personally* by each user or *random- ly* by the program when the database of checksums is first created for that user. is not as good as a DES- or RSA-based checksum. The answer is: It depends on the model you are concerned with. But before we even get to that, you CANNOT choose any old "random" polynomial - you have to choose one from an appropriate class. This is not hard to do; the theory is worked out in a paper of Rabin's, "Fingerprinting With Random Polynomials" or some such. (Sorry, I don't have the reference; it probably appeared in a STOC or FOCS 3-4 years ago.) Note that to get reasonable security, you need a moderately large polynomial, so your software implementation may not be as fast as you thought it would be. As for the model: A CRC scheme assumes that your opponent cannot see the result of applying your CRC. CRC is not (known to be) "crypto-secure": It may very well be that, given a program P and its CRC C, with an unknown polynomial, I can find another program P' with the same CRC. Note that this is a MUCH weaker condition than saying that I can determine the polynomial. In fact, the real situation may be that I cannot be CERTAIN that P' will work, but that probabilistically it's a good bet. Given a properly-constructed cryptographic checksum, such as the DES checksum, even if I can CHOSE a large sample of programs P1,...,Pn and get you to hand me their checksums, I still can't find any other program P' with the same checksum as any of the Pi's - unless I know the key you are using. Is this important? It depends on the situation. Using CRC, you can NEVER publish lists of checksums. With DES, you can do so safely. Only people to whom you have given your key will be able to do anything useful - or nasty - with the published information. It's possible construct even stronger checksums: Those which cannot be spoofed EVEN BY SOMEONE KNOWING THE KEY. This is easy to do using a technique that, unfortunately, makes the checksum as large as the information being protected: An RSA signature will do quite nicely. Whether there is a way to do this with a small checksum, I don't know. -- Jerry ========================================================================= Date: Mon, 29 Aug 88 11:17:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Limiting dist of viruses as protection for computer professional While there is legitimacy for a very limited distribution of viruses for study by a limited number of professional, limiting the distribu- tion of viruses, beside protecting the world in general, also protects computer professionals who might otherwise keep a virus or two around. A story from my college days when I worked on summer as a porter (translate that as a janitor) in a hospital. One day, the housekeeping staff had accidentally locked themselves out of the laundry room and the washing machine was going amok- overflowing with sudsy water. The water and suds were coming out from under the door. I offer to try to open the door using a couple of methods that I had heard of. One of the houskeepers warned me not to do it. Rather, she suggested, let the flooding continue until the hospital got a locksmith. The reason is that if I suceeded opening the door, it would be viewed that i "knew locks". So, then, if anything was stolen, if any drugs disappeared, or any equipment vanished, I would have been the prime suspect. And this was not a matter of "pikuach nefesh", of life or death. So I followed the advice. Her advice stuck with me over the years. It also applies to computer data security issues. If I kept viruses and something happend in my area of New Jersey, I could be viewed as a suspect. It has been hazardous enough for being known as an authorof articles about viruses. (One BBS sysop claimed that my text was a "virus" because his BBS crashed soon after I uploaded an ASCII file of one of my articles. Guilt by association.) So all the better not to have the "live samples" unless one is REALLY part of the solution. Addenum to previous posting of accountability.... Another problem in distributing viruses is the problem of verifying who the "security professionals" making requests are. E-mail can be deceptive. Same for letters, phone calls, etc. Face to face contact helps, but all too often there is great amount of uncertainty. This uncertainty can be reduced by further follow-up checks, but the risk in never eliminated totally. In reading about security risks elsewhere, I have come across a number of examples of "spoofs" where someone was induced to work for the KGB or other agencies by the agency presenting itself as some other group- CIA, MI5, Mossad, etc. Again, these are extreme cases. But they illustrate how often people will only do shallow checks. Incidentally, a corpate/ government letterhead is not absolute proofof "genuiness" either. One can always form a "dummy" corporation and the print shops can always prepare a letterhead of any design. There is even the danger of an employee of legitimate cancerns with their own "adgenda". It is a very complicate world out there. Again, Mr. Murray thank you. PS, Mr. Murray, I'll be getting in contact with you about the question concerning FIDONET that you asked before the Fred Cohen lecture in July. ========================================================================= Date: Mon, 29 Aug 88 11:53:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bob Babcock Subject: Re: PERFECT virus? In-Reply-To: USERCE57@UBCMTSG message of Sat, 27 Aug 88 12:22:30 PDT >An extra, and as yet >unidentified hidden file seems to have appeared on the hard disk and many >floppies. (This is in addition to the two MS-DOS system files and one >partitioning the hard disk.) If a disk has a volume label, CHKDSK will count that as a hidden file. Could this be the "unidentified" hidden file? ========================================================================= Date: Mon, 29 Aug 88 12:00:08 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken Pendell Subject: Re: Who's SAFE? In-Reply-To: Message of Sun, 28 Aug 88 21:35:21 EDT from > >If the FBI comes to me and wants complete information, I >will give them everything I can; if someone designing a >virus-fighting package comes to me, I probably will not. > >Loren > You have a much greater trust in our government than I. Ken Pendell ========================================================================= Date: Mon, 29 Aug 88 13:02:54 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: SUG In-Reply-To: Your message of Thu, 25 Aug 88 10:32:24 EDT I'm not sure as to when the company's going to court, but I'll keep an eye out for any reports. Any more volunteers for watching for Softguard? ========================================================================= Date: Mon, 29 Aug 88 13:23:45 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GARY SAMEK Subject: Re: The Adolescence of P1 In-Reply-To: Message of Sat, 27 Aug 88 20:03:00 EST from For everyone that is now looking for this book, it is now out of print. Or at least it was out of print at the beginning of this summer when I last gave a serious attempt at locating a copy of it. If anyone has any luck finding a copy of this book, I would be interested in hearing about it. I was told at a local book store that my best chance would be to look in used/traded book sections. I have looked in the local libraries for the book without any luck there either. Good Hunting. Gary Samek Bitnet C133GES@UTARLVM1 Telnet C133GES@UTARLG Arpanet C133GES@UTARLG.ARLINGTON.TEXAS.EDU ========================================================================= Date: Mon, 29 Aug 88 13:38:29 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Softguard In-Reply-To: Your message of Thu, 25 Aug 88 19:04:00 EST Thanks for the information that you sent and to the effort you put into it. It's been very interesting reading. Frank ========================================================================= Date: Mon, 29 Aug 88 22:33:57 +0300 Reply-To: gany@taurus Sender: Virus Discussion List Comments: If you have trouble reaching this host as MATH.Tau.Ac.IL Please use the old address: user@taurus.BITNET From: GANY@TAURUS Subject: what is DER ? Can someone please explain, to the fool among us (like me), WHAT IS and HOW DOES "DER" works (a short bullet proof explanation). That will make the flaming argument about CRC vs. DER much more clear to people who are not certified computer hackers (yes, ordinary people exist too !). If it was already done and i missed it, please accept my appologies. thanks Yair Gany Gany@Math.Tau.Ac.Il Tel-Aviv University ========================================================================= Date: Mon, 29 Aug 88 15:29:08 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: The First Virus In-Reply-To: Message of Sat, 27 Aug 88 13:26:26 EDT from >What exactly is "The Adolescence of P1"? Fact or fiction? Anyone who says that a truly intelligent program could run on a 512K MFT system is *definitely* writing fiction. Half the time you couldn't even run a STUPID program! :-) --- Joe M. ========================================================================= Date: Mon, 29 Aug 88 17:45:07 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth P. Russell" Subject: Re: More administravia ... In-Reply-To: Message of Wed, 24 Aug 88 10:52:00 CDT from I am getting two copies of virus mail. ========================================================================= Date: Mon, 29 Aug 88 22:14:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Glen Matthews Subject: Outline of Worm Pgms Paper in CACM While not wanting to help bury Loren with yet another copy of the paper "The 'Worm' Programs: Early Experiences with a Distributed Computation" (in CACM March 1982, pp.172-180), as I am sure that more than 1 copy is now winging its way there, I thought that others on this list might be interested to peruse the outline of this paper, together with an annotation or two. (Whew!) (Incidentally, John Brunner's "The Shockwave Rider" is referenced therein as well as "The Adolescense of P1" and one I hadn't heard of, "The Medusa Conspiracy" by Ethan I. Shedley.) 1 Introduction - distinguishes so-called "distributed computing" from worms - "distributed *computations*" 2 Building a Worm - worm: a computation which lives on 1 or more machines; the program on each machine is termed a "segment" 2.1 General Issues in - authors emphasize that since the worm *takes Construcing A Worm over* the host machine, any disk residing on that machine should not be written on; doing so is labelled as a "profoundly antisocial" act 2.2 Starting a Worm - on 1-st machine, worm is started as would be any other program 2.3 Locating Other - worm expands to its full complement of machines Idle Machines using *only* idle machines (say, overnight) 2.4 Booting an Idle - the architecture of the network (ethernet) Machine is such that an idle machine (running a memory diagnostic test pgm) can be requested to boot from the network, but control cannot be seized 2.5 Intra-Worm Communication: The Need for Multi-Destination Addressing - problem of co-ordinating which machines are currently still part of the worm; time-out and labelling a non-communicative segment as not part of the worm any more 2.6 Releasing Machines - memory diagnostic is re-started; noted that if segment or boot fails, the machine is effectiv- ly cut out of the network (stopped) 3 A Key Problem: - puzzling situation recounted: a small worm left Controlling a Worm running overnight resulted in a dozen machines "dead" the next morning; a corrupted copy of the worm was failing in the boot sequence; some machines were physically locked up and running the worm and thus could not be aborted; luckily, an emergency escape had been included within the worm, so that it could be shut down; "...unfortunately, the embarassing results were left for all to see: 100 dead machines scatter- ed around the building..." 4 Applications Using the Worms 4.1 The Existential Worm - this program simply stayed alive 4.2 The Billboard Worm - distributed a "cartoon of the day" 4.3 The Alarm Clock Worm - used to signal a user at a later time; not dependant upon a single machine; would dial up user's telephone!!! 4.4 Multimachine Animation - a single controlling node using other Using a Worm machines to multi-process the graphics problem at hand, generating animation effects 4.5 A Diagnostic Worm for - testing pair-wise communication error the Ethernet rates for networks of 120 machines, using a single controlling node 5 Some History: Multi-Machine - routing algorithm (IMPs); McRoss; Programs on the ARPANET the "Creeper"; "much of this work, however, was done in the early '70s" 6 Conclusions Although "worms" sound as nefarious as viruses I would suggest that they are something completely different. For one thing, the computing environment required is different than that in which viruses are being found today. For another, far from having an "infection" it sounds as though worms will need to utilise network calls to install themselves. This implies a far greater measure of control over the resources that a worm would be able to command. Anyway, this hopefully will encourage those interested to truck on down to the library for this article. Glen Matthews ========================================================================= Date: Tue, 30 Aug 88 00:45:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Replies to Virus-L Comments Bernd, I have not heard of the specific incident you cited about a virus attacking a hospital, but have heard of at least 6 more incidents. None of the incidents were very dangerous to patients, but were apparently written to attack a specific hospital system. I think it takes a very sick human being to attack such systems. Jeff, Surprizingly, you are the very first person to ask about the integrity of the individual vs the company. I agree with you, there is very little I can do here to prove that I am being honest and won't run off with your money. I will provide receipts to people along with hotel names and so on (I had already planned on this, and even picked up a receipt book!), and you should write in the Memo section of your check (most checks have these) that it is a registration fee for a virus conference, include a letter and keep a xeroxed copy of it. If you are really worried, then mail yourself a xeroxed copy of the letter the same day you send me a check and don't open the letter. Incidently, an individual is much easier to sue than a company. A company can just dissolve or declare bankrupcy. You can put a lien on my property (THAT IS NOT A SUGGESTION!). And you will get a cancelled check, which is evidence itself. NSC: When I speak of the NSC (which individuals have talked to me and identified themselves as being from this organization), I ASSUME it is the National Security Council (Is that last word Council?) under Pres. Reagan. I am in NO WAY certain this is who I talked to. When I refer to the National Computer Security Center, I am referring to an entirely different group. DES: I MEANT DES, not DER... I make that mistake often. William H. Murray: Thank you, you pointed out a few things that I missed. I neglected to say anything about sterilizing viruses before sending them anywhere. Its common practice, so it was something I overlooked. Bob and others: Wasn't Miami U telling us several months back that they had been hit by a virus which attacked Word Perfect? (Who has a problem with Word Perfect? Its a good and inexpensive word processor!) Thank you, Loren K Keim ========================================================================= Date: Tue, 30 Aug 88 03:38:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: conference queries Loren: The check to a P.O. box is definitely out of the question, unless you could provide a name of a reputable sponsor of the conference I could contact. Who is sponsoring the conference? I am also curious as to whether there will be profits, and if so, what will become of them. Obviously, you can't give a definite answer as to whether the fifty dollars apiece will be too much or too little at this stage. Have you had any experience organizing conferences? I would like to know what your status is at Lehigh, and to what extent Lehigh University is involved. Also, how many people have sent checks? Perhaps with this information, I would consider attending. - Jeff Ogata ========================================================================= Date: Tue, 30 Aug 88 03:53:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Re: The Adolescence of P1 In-Reply-To: Your message of Mon, 29 Aug 88 13:23:45 CDT I read that book when it first came out. While the virus stuff is reasonably accurate (the AI part is junk), my impression of the book was that it was badly written and not immensely gripping. Still, it has been ten years or so, so I could be wrong... /a ========================================================================= Date: Tue, 30 Aug 88 07:56:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: conference queries In-Reply-To: Your message of Tue, 30 Aug 88 03:38:07 EDT > Who is sponsoring the conference? Loren is. > I would like to know what your status is at Lehigh, and to what extent > Lehigh University is involved. Loren is an undergraduate student here at Lehigh, in good academic standing I believe. Lehigh University, to the best of my knowledge, is not involved in the conference in any way. At least the Computing Center certainly is not. Ken Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: Calvin: Then how am I supposed to learn BITNET: how to juggle?! ========================================================================= Date: Tue, 30 Aug 88 11:29:42 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Interest in THE ADOLESCENCE OF P1 /Book Search A local used bookstore in my area has a number of slightly used copies of the book. If anyone is interested in obtaining a copy, please contact me by postal mail or telephone to work out arrangements. In general, I believe that the best bet for finding this book will be the used bookstores. Look under Science Fiction. J.D. Abolins 301 N. Harrison Str., #197 (mail only) Princeton, NJ 08540 (609) 292-7023 If anyone has trouble finding John Brunner's SHOCKWAVE RIDER, I believe I have seen in the used bookstores as well. Thank you. ========================================================================= Date: Tue, 30 Aug 88 11:39:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Virus Arguements Hit Home Yesterday, I was calling up this area's local BBS's, when to my surprise, I found a feud going on. One BBS sysop claims that a second sysop is responsible for a virus that he somehow got. Since FluShot gave the receiving sysop an error message (which probably is common, but he doesn't realize that) he feels that the virus can be traced to the host sysop's BBS and therefore is seeking damages.. The host sysop claims that if he is being accused and wrongly slandered that he would consult legal authorities at his business. I am not sure if all the details here are 100% accurate, but I can upload a copy of the messages in the feud here if some people are interested. David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 30 Aug 88 17:20:49 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: CRC vs. encryption schemes A few comments on Jerry Leichter's reply to my question/challenge: >It may very well be that, given a program P and its CRC C, with an unknown >polynomial, I can find another program P' with the same CRC. Note that this >is a MUCH weaker condition than saying that I can determine the polynomial. Agreed. I never assumed that one had to determine the polynomial in order to forge a CRC. However, it's not enough to say that "it *may* be that ...". If you can't demonstrate a *method* for doing this in general, you won't convince many people. So for sake of argument, I shall assume you have in mind some- thing like the method described by Woody Weaver in his May 17 contribution to VIRUS-L. If so, where do you get the set of polynomials gi(x) from? It would clearly be impractical to take it to be all possible polynomials (even assuming you know the size of the generator). So do you simply choose (say) 100 poly- nomials at random, apply Woody's procedure, and hope for the best? That would take a lot of computation time, which would certainly be noticed. And even if it isn't, if the probability of succeeding isn't sufficiently large, the CRC checker will sometimes notice your attempted forge, tipping off the community to the existence of a virus. Can you supply any assurance that this probability will be large? And if you are thinking of some quite different method of forging the CRC, could you please explain it? > you CANNOT choose any old "random" polynomial - you have to >choose one from an appropriate class. For reasons mentioned above, I think your words "CANNOT" and "have to" are a bit too strong. Anyway, I presume you're referring to a restriction on the set of polynomials (from which the generator is randomly chosen) to the subset of *irreducible* polynomials. The reason I didn't mention this in yesterday's message was that I considered this to be a relatively minor matter compared to the distinction between a fixed generator and a personal/random generator. (Recall that the requirement which you quoted was described by me as the *first* requirement, not the *only* requirement.) Since I may have misunderstood something and this might be a more important point than I thought, it should be mentioned that a CRC checker (the same program which I mentioned in my message yesterday) has been written which makes a random choice among almost 70 million irreducible polynomials. Do you think anyone can forge a checksum on that basis? This program is based essen- tially on Prof. Michael Rabin's "fingerprint" algorithm, and as you yourself admitted in your contribution of May 9, that makes it cryptographically strong despite the fact that it is CRC-based. Perhaps I could rest my case here, but there are a a couple of additional details: > Note that to get reasonable security, you need >a moderately large polynomial, so your software implementation may not be as >fast as you thought it would be. The above program uses a 31-bit generator and is at least as fast as any other checksum program I have tried (except for FluShot+, which probably uses some- thing more primitive than CRC; in any case it doesn't satisfy my "first" re- quirement). > Using CRC, you can NEVER >publish lists of checksums. Since use of a CRC algorithm for the detection of viral infection (which is the only context in which I mentioned CRC) doesn't imply the need for such a list, this remark doesn't seem to me to be relevant to my question. But I'm still curious to know exactly how one would exploit a list of CRC checksums to do something nasty. In short, Jerry, I don't think you've succeeded in supplying any good justifi- cation for the much greater execution time required for DES- and RSA-based algorithms as compared to a Rabin-type CRC algorithm, and unless I've missed some important point, not even compared to an ordinary CRC algorithm satisfying my "first" condition. Y. Radai Hebrew Univ. of Jerusalem ========================================================================= Date: Tue, 30 Aug 88 08:10:42 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel In-Reply-To: Your message of Mon, 29 Aug 88 10:54:21 EDT Your point is certainly a valid one. Virtually any programmer with ill will toward an organization or institution could formulate a virus in a few hours (or a poorly constructed virus in less time) and crash that system should it have weak defenses. It's distrubing to think that such vengeful persons can easily bring about "viral warfare." That brings me to another point, if a war should take place (sensibilities forbiding), how prominently would viruses be used as a means of attacking an enemy? This sounds like the plot of a cheesy film, but anything's possible. Frank ========================================================================= Date: Tue, 30 Aug 88 10:48:33 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: A few questions I've got two questions concerning Mac viruses. First, if programs like Ferret and Vaccine are not as dependable as one could hope, how does one search for a viral infection using ResEdit? Also, could someone dig up a copy of Howard Upchurch's article on SCORES and forward it to me? Thanks. Frank ========================================================================= Date: Tue, 30 Aug 88 13:15:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Who's Sponsoring What Thank you for answering Ken, but please do not answer questions you know little about before consulting me. The conference is sponsored at this time by two organizations within Lehigh, and I am trying to get a department to sponsor the conference. I will be able to tell you later this week who you may contact within Lehigh for information. Agreeing with Ken, I am enrolled in the undergraduate program at Lehigh. I dislike the term undergraduate because I have worked in the field for over 6 years and had taken courses at schools previous to attending Lehigh. Undergraduates, unfortunately, often are thought of as people who don't know anything and haven't spent time working in the real world, so I continue to shy away from that label. If you question my integrety, you can check up on me. I was a member of the Bethlehem Beautification Committee, a part of a group to the Bethlehem Area School District Superintendant Committee, and have served on many non-profit organizations. I was one of the people who started the "Save our Statue" fund about 6 years ago that obtained national status. I am easy to contact through any of the Century 21 Keim Realtor offices in the Lehigh Valley area, Keim Enterprises. While all of this means practically nothing, I like to think I have a decent reputation for being fair and so on. I am using a P.O. Box because it is easier for me to separate mail that way. If you so desire, I live at 1950 Ravenwood Drive in Bethlehem (Zip 18018). Again, its very hard for me to assure you that I am "on the level". I think tommorrow I may be in a better position to discuss it, however. If you have any specific questions, you can direct them to me here at LKK0@LEHIGH. Thank you, Loren K Keim ========================================================================= Date: Tue, 30 Aug 88 13:13:36 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Steven C. Woronick" Subject: Re: Outline of Worm Pgms Paper in CACM For the benefit of the non-expert, could I suggest that we spell out certain abbreviations which one would anticipate will elicit questions when they first appear in a message? For example if I mention DES, my first reference to it might appear as "Data Encryption Standard (DES)." (By the way, there is a discussion of DES in the book "Numerical Recipes" --- sorry I don't have it in front of me so I can't tell you the authors). Maybe this is too burdensome to ask? Maybe one us should put together a glossary? Although I have already inferred more or less the meaning of DER and CRC, can somebody please tell me what they stand for? Finally what is the name of the journal CACM spelled out? Steve ========================================================================= Date: Tue, 30 Aug 88 17:24:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus Conference Concerns Update To answer some of the concerns people recently had here about the virus conference: As I had said before, we were being sponsored by two Lehigh University organizations but not by the college itself. We are working on trying to get the university to sponsor the conference at this time. We should know in the next few days the answer. The major concern the University seems to have is that Lehigh must maintain the highest possible standard of professionalism at a conference, as any college or university should. If we are sponsored by Lehigh, then those of you who might have had questions about integrety will be able to send a check directly to Lehigh. Other than that, we seem to have a great list of speakers, panelists and others coming representing a wide variety of computer security experts and amatuers. I will keep you informed. Thank you, Loren Keim ========================================================================= Date: Tue, 30 Aug 88 14:49:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: Re: Outline of Worm Pgms Paper in CACM CRC stands for Cyclic Redundancy Check. CACM is the "Communications of the Association for Computing Machinery." DER, as far as I know, was an error for DES. Don't flame me if I'm wrong; there's getting to be a lot of mail and little time to read it. --Jim ========================================================================= Date: Tue, 30 Aug 88 12:07:13 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Virus Arguements Hit Home In-Reply-To: Your message of Tue, 30 Aug 88 11:39:49 EDT Dueling Sysops. Sounds like a song subject. Maybe this question has already been brought up but I'm curious what people's thoughts are on the subject. In a recent issue of Computerworld, the subject of viruses and how they fit into insurance costs was raised. On one hand, those paying the insurance feel that they should be compensated for their losses to viruses since they're paying high bills. Insurance companies, though, feel they shouldn't have to pay for another person's behavior. The article listed a few companies that do have provisions for viruses and those who are undertaking the task. I'll put them up if anyone wants them. Frank ========================================================================= Date: Tue, 30 Aug 88 15:30:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Outline of Worm Pgms Paper in CACM In-Reply-To: Message of Tue, 30 Aug 88 13:13:36 EDT from Steve, Your suggestion about spelling abbreviations on first use is a good one. It is a fairly well recognized standard for reports, etc., and is a good idea for here. Only the most EXTREMELY common abbreviations should not be done this way, at least on the first use. In reply chains, this should probably not be necessary. I, too, am not familiar with all the jargon and abbrev- iations such as DES. I do know what CRC stands for, although I don't know how to use it. By the way, CACM stands for Communications of the Association for Computing Machinery (ACM). This is the primary journal of the ACM. Jim Marks ========================================================================= Date: Tue, 30 Aug 88 14:22:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Assurance I really cannot understand all the fuss about whether Loren is on the up and up. There is not a shred of evidence for, and it is ridiculous to suggest, that Loren might perhaps embezzle the funds for the conference and skip town. The conference money is not very much compared to the loss of reputation, risk of a law suit, and other damages certain to be incurred by such a fraud. I would however suggest (Loren probably already knows this) that a bank account be established solely for handling the conference expenses and that Loren obtain and retain all recipts for all conference-related expenditures. This is good insurance against later accusation. The question about left over monies is a good one, but also what about not enough funds? I think Loren deserves to be thanked for his efforts in setting up and running the conference. Unfortunately, I am too busy to attend. Life is full of risks and if you want to live a full and normal life (maybe even otherwise also), you are forced to take at least some risks all the time. So, you take risks you consider to be reasonably safe. It is always possible that your next door neighbor will run you down with his car just for the fun of it the next time he sees you. It is possible that the cashier will pocket the $20 bills you just handed her and claim that you didn't give her anything (and charge you with assault or robbery should you try to get your money back). But life is always forcing these kinds of risks on you and you must evaluate each risk and the motives and psychological make up of the people involved. It has been said that if you don't take risks, you risk not living. I personally think the conference is a pretty good risk. And a cancelled check is a pretty good receipt. Steve ========================================================================= Date: Tue, 30 Aug 88 16:14:57 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: CRC vs. encryption schemes In-Reply-To: Message from "Y. Radai" of Aug 30, 88 at 5:20 pm > > A few comments on Jerry Leichter's reply to my question/challenge: > >>It may very well be that, given a program P and its CRC C, with an unknown >>polynomial, I can find another program P' with the same CRC. Note that this >>is a MUCH weaker condition than saying that I can determine the polynomial. > >Agreed. I never assumed that one had to determine the polynomial in order to >forge a CRC. However, it's not enough to say that "it *may* be that ...". If >you can't demonstrate a *method* for doing this in general, you won't convince Perhaps we have two different concerns here. One is the problem of determining if a file that was previously clean had become infected. For this one needs only to look for changes. A CRC will do this, unless the infecting agent is 'smart' enough to add a byte or two of checksums that will cause the CRC generator to show the same CRC. No virus writer can do this if he does not know what CRC polynomial you are using. The second problem involves publishing the CRC so that others may know if distributed code had been changed. For this, you must also publish the polynomial so that others can check the code. Clearly here the polynomial is known and the virus writer can take that into account as he writes his mean stuff. Since in the first case speed is of the essence (I run my checker with each bootup and it takes time), and in the second case, it is less so, we have two problems with two solution sets. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 30 Aug 88 15:06:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: CRC vs. encryption schemes Y. Radai writes: I never assumed that one had to determine the polynomial in order to forge a CRC. However, it's not enough to say that "it *may* be that ...". If you can't demonstrate a *method* for doing this in general, you won't convince many people. If we were living in the 1930's, this statement might have some validity. Today, it is extremely naive. The world is full of failed cryptosystems which people relied on because "no one could demonstrate a method" of breaking them. Given advances in the field, the burden of proof should be - and, among people who work on these issues, IS - entirely on the PROPOSER of a system to show that his system is secure, in some sense. (Absolute proofs of security are still beyond us, but proofs if certain problems which are believed to be very hard are, indeed, very hard are possible.) I suggest you read Kahn's "The Codebreakers" and see if you wish to stand by your statement. Since I may have misunderstood something and this might be a more important point than I thought, it should be mentioned that a CRC checker (the same program which I mentioned in my message yesterday) has been written which makes a random choice among almost 70 million irreducible polynomials. Do you think anyone can forge a checksum on that basis? Yes, easily. A common error in this kind of work is not to understand the power of brute force. Your range of possible polynomials is too small to be secure. Suppose I know how your polynomial generator works, and have a copy of ONE file with your checksum for it. I proceed to compute the checksum of the file with all 70 million possible polynomials, comparing the results to the known checksum. Even if it takes a second to compute, I can expect a match in a little over a year. If I'm serious about the search and willing to make an investment in hardware, I can get a result much faster, since the program parallelizes trivially to arbitrary degree. If I get to chose the file - if, for example, you maintain a BBS and I can convince you to add my file to your files and publish a checksum for it for people to check - I may be able to do better. (At a minimum, I can guarantee that the file is short and so can be checked quickly.) What I get out is the actual polynomial - more than I needed. (There's a chance - about 1 in a 100 - that two polynomials produce the same checksum on the given file. A quick check with another file - if you publish one, you'll publish another - minimizes this.) Go to 48-bit polynomials, and this method becomes impractical. But you don't KNOW that other methods don't make the problem absolutely trivial! This program is based essentially on Prof. Michael Rabin's "fingerprint" algorithm, and as you yourself admitted in your contribution of May 9, that makes it cryptographically strong despite the fact that it is CRC-based. I no longer have a copy of my May 9th contribution - I'm fascinated, and complimented, that anyone thought it interesting enough to save and remember - but the use of "admitted" in this context is suspect. It has nothing to do with proof. Rabin's scheme was based on an idea that is common in much of his work, and actually goes back to basic game theory: Using randomization, choose one path from among many. Your adversary can defeat any particular path you choose, but because he doesn't know which one you will choose, he must defeat all of them at once - which he cannot do. Here, "path" is a particular polynomial. Rabin's scheme fails immediately if your opponent knows the particular polynomial you intend to use. As I recall, I speculated that you could get around this by publishing a list of polynomials, and checksums with respect to ALL of them, with the list so long that the adversary could not compute a falsified value that would satisfy all of them but still have an acceptable length. Then you would check a small, randomly chosen subset of the polynomials. For this to work, a suitable list of polynomials would have to be shown to exist: Long enough that fooling all, or even a signficant fraction, of them simultaneously is impossible; short enough that you would be willing to compute and publish ALL the checksums. I don't know of anyone who has shown that such a list can be constructed; it's an interesting problem. -- Jerry ========================================================================= Date: Tue, 30 Aug 88 19:32:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: Loren's virus conference Could we please take this debate about the conference elsewhere? I don't know where, maybe a user-run mailing list, but I'm a bit tired of it on Virus-L. Probably Jeff is just being over-cautious, and I can't necessarily blame him. But this debate has gotten annoying. ========================================================================= Date: Tue, 30 Aug 88 22:06:11 -0700 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Clancy Subject: conference What are the possibilities of publishing some sort of proceedings or recordings of some of the discussions at the upcoming conference for those of us who can't make the trip? ========================================================================= Date: Tue, 30 Aug 88 22:11:02 -0700 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Clancy Subject: Re: AT configuration In-Reply-To: Your message of Mon, 15 Aug 88 13:37:42 -0500. <8808151311.aa17665@ORION.CF.UCI.EDU> > I wonder what would be the effect of telling my AT, through some > configuration changes that I have no hard disk. > > I can run a program that permits me to tell the battery operated RAM > package that I have one of 45 or so different hard disks, or by > putting a zero in some location tell it that I have no hard disk. Can > a virus guess what sort of disk I have? What would happen if the > virus guesses wrong? > > Interested in some feedback here. > > + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + > | Leonard P. Levine e-mail len@evax.milw.wisc.edu | > | Professor, Computer Science Office (414) 229-5170 | > | University of Wisconsin-Milwaukee Home (414) 962-4719 | > | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | > + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + > There is an interesting program called PC-LOCK which will effectively isolate your hard disk (at least on an XT) from the system. Once installed, if a user attempts a hard disk boot, he/she must supply the proper password to gain access to the HD. If booted by a floppy in the A drive, access is also blocked as the HD does not appear to exist, and the user does not have access. This package is shareware. I would be happy to make it available to all in the conference, but I am not sure how to do so. Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 ========================================================================= Date: Tue, 30 Aug 88 22:20:49 -0700 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Clancy Subject: Flushot trojan horse I recently came across this message from the author of Flushot. I haven't seen it here, unless I've missed it. Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 **************************************************************************** !!OF VITAL IMPORTANCE!! ============================================================================= ATTENTION! ========== THERE IS A TROJAN PROGRAM AFOOT AND IT'S CALL FLU4TXT.COM! IT DID NOT ORIGINATE FROM MY BOARD, OBVIOUSLY. AS OF 3/11/88 THE MOST RECENT RELEASE OF THE FLUSHOT PROGRAM IS 'FLUSHOT3'. THE ARCHIVE CONTAINS A NUMBER OF TEXT FILES, AND FLUSHOT3.COM ITSELF. LEGITIMATE COPIES OF FLUSHOT3 ARE AVAILABLE ON EITHER OF THE BBS'S BELOW, ON GENIE, ON BIX, OR FROM USENET. ABOUT THE TROJAN ================ FLU4TXT.COM IS A TEXT DISPLAY PROGRAM WHICH WILL SHOW YOU SOME OF THE DOCUMENTATION WHICH COMES WITH FLUSHOT3, AND WILL THEN DAMAGE YOUR HARD DISK WHEN YOU EXIT. ADDITIONALLY, IT ALSO PLAYS GAMES WITH THE DISK PARAMETER TABLE. NASTY STUFF. THE WRITER OF THE TROJAN WAS CLEVER: IT IS SELF MODIFYING AND SELF RELOCATING CODE WHICH WILL NOT BE FOUND BY CHK4BOMB. WHAT TO DO ========== PLEASE BE SURE TO TELL ANY SYSOP ON ANY BOARD WHERE YOU SEE THIS PROGRAM (OR AN ARCHIVE CALLED FLUSHOT4) THAT IT IS A TROJAN, THAT IT SHOULD BE REMOVED FROM THEIR BOARD IMMEDIATELY, AND THAT A WARNING MESSAGE SHOULD BE POSTED TO THAT EFFECT. PERHAPS A COPY OF THIS WARNING BULLETIN WILL SUFFICE. !!!DO NOT RUN FLU4TXT.COM!!! IT WILL EAT YOUR HARD DISK *AS*IT*EXITS*!!! WHO DO I CONTACT? ================= IF YOU HAVE QUESTIONS ABOUT FLU4TXT.COM OR ABOUT THE LEGITIMATE SERIES OF FLUSHOT PROGRAMS, PLEASE FEEL FREE TO LEAVE A MESSAGE ON FOR ME ON EITHER OF THE FOLLOWING BBS SYSTEMS: RAMNET ((212)-889-6438), NYACC ((718)-539-3338) OR ON 'BIX' OR VIA 'MCI MAIL' (I'M USER 'GREENBER' ON BOTH BIX AND MCI) FLUSHOT3.ARC IS AVAILABLE ON THOSE BULLETIN BOARDS AS WELL AS MANY AROUND YOU. BEFORE DOWNLOADING A COPY FROM A TRUSTED BBS, PLEASE BE SURE TO ASK THE SYSOP IF THEY HAVE ACTUALLY RUN THE COPY THEY HAVE AVAILABLE FOR DOWNLOAD ON THEIR BOARD. IT IS *YOUR* DISK AT RISK..... ROSS M. GREENBERG ========================================================================= Date: Wed, 31 Aug 88 03:07:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: caution Apologies to all for extending this debate any further; I merely desire to explain that my primary concern is not that Loren would embezzle funds. I am actually concerned that the conference might not happen. In that case, I will be out $50 for two months or so. This is signifi- cant to me, as I am a college student with not a lot of dough. Fifty bucks will buy me 1.5 textbooks on the average. Putting a conference together, with finding a location, hotel accomodations, arranging for printing and typesetting documents, reviewing papers for presentation, and a zillion other details is a HUGE amount of work. One person working alone and having no experience arranging conferences is likely to find it very difficult. And the semester is about to begin. With that, I drop the subject. - Jeff ========================================================================= Date: Wed, 31 Aug 88 07:31:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Virus Conference Concerns Update In-Reply-To: Your message of Tue, 30 Aug 88 17:24:37 EDT > Other than that, we seem to have a great list of speakers, > panelists and others coming representing a wide variety > of computer security experts and amatuers. Perhaps you could give us all a (partial, at least) list of speakers and panelists? Ken Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: Calvin: Then how am I supposed to learn BITNET: how to juggle?! ========================================================================= Date: Wed, 31 Aug 88 10:12:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: EAE114@URIMVS Subject: CRCs and Published Keys I'm don't understand the theory behind publishing checksums for programs. In order for this to work, it seems as if you need a secure (un-spoofable) channel for transmitting the checksum. If you DONT do this, then whoever, substitutes infected code for yours can easily also substitute a checksum that matches it. If you HAVE such a secure channel, then why not just transmit the programs, and forget the encryption? EAE114@URIMVS (Eristic/PRose) Disclaimer: This message doesn't exist, objectively. ========================================================================= Date: Wed, 31 Aug 88 09:34:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Oops! Wrong Address John. This message is to John Stewart, who requested the address for Dr. Ian Witten. I am posting this here because I deleted John's message and thus do not have his address. John, sorry about this, but Ian Witten's address is: calgary.UUCP instead of what I sent you previously. Thanx! Greg. P.S. Loren - I am still waiting on some info from you (I realize how many requests you must have received for such info, so just get it to me A.S.A.Y.C!) ========================================================================= Date: Wed, 31 Aug 88 13:24:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: CRCs and Published Keys I'm don't understand the theory behind publishing checksums for programs. In order for this to work, it seems as if you need a secure (un-spoofable) channel for transmitting the checksum. If you DONT do this, then whoever, substitutes infected code for yours can easily also substitute a checksum that matches it. If you HAVE such a secure channel, then why not just transmit the programs, and forget the encryption? This is quite true. However, the checksums and the keys to generate them can be much smaller than the code being protected. Imagine a service of the following form: You pay some amount of money to join up. You are given a sealed box containing a checksummer: It accepts a file as a series of bytes on an ASCII line and displays a checksum. The device is built so as to be very hard to reverse-engineer. Anyone producing a piece of software provides a copy to the service. The service will NOT accept it until it has a verifiable identification of the person. The service then computes the checksum and saves it away for later. When you want to use a piece of registered code, you pick it up from any convenient source, call the registry, ask for the checksum, and compare to what your checksum box claims the checksum should be. Alternatively, the service prints the checksum on some hard-to-forge medium and sends copies to subscribers. (The technology for making hard-to-forge paper and such is long established.) This scheme requires that the checksum function be cryptographically strong: Every subscriber is in a position to calculate the checksum of any piece of text he wishes to. You need to be reasonably confident that this will not help him forge checksums. -- Jerry ========================================================================= Date: Wed, 31 Aug 88 13:13:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Nilges Subject: RE: CRC vs. encryption schemes In-Reply-To: Your message of Tue, 30 Aug 88 15:06:00 EST In connection with the issue of just how hard it is, in general, to break encoding schemes, and the power of brute force in the form of computers, readers of this list should read the Science Times section of the New York Times for Tuesday, Aug 30th: here, the mathematician John Conway of Princeton (and creator of the game of LIFE) offered a reward to anyone who could determine the location of a certain key number in a series. Colin Mallows of AT&T Bell Labs came up with the solution, in part using a computer, in an astonishingly short time. Conway had offered a 10,000.00 reward, which Mallows agreed was a slip of the tongue, or at least the exponent. Mallows kept and framed the check for ten grand, and accepted an alternative reward of 1.0E3 for his grandchildren. ========================================================================= Date: Wed, 31 Aug 88 13:30:03 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: ?$z" After asking a question about finding virus with ResEdit, I tooled around with this utility and came across something strange. Maybe someone has seen or heard of this... Upon opening the desktop, I found two questionable files -- one was simply blank while another had the crytic code: ?$z". I eliminated the blank one, but when I tried to open a Get Info box on ?$z" a bomb dropped. On rebooting, the Mac informed me that my hard disk was in need of repairs. It was repaired with the loss of SuperPaint and Word icons. Opening ResEdit again, I found the file blank. Any guesses? Frank ========================================================================= Date: Wed, 31 Aug 88 13:52:33 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: Pc-Lock >There is an interesting program called PC-LOCK which will effectively >isolate your hard disk (at least on an XT) from the system. Once >installed, if a user attempts a hard disk boot, he/she must supply the >proper password to gain access to the HD. If booted by a floppy in >the A drive, access is also blocked as the HD does not appear to >exist, and the user does not have access. This package is shareware. >I would be happy to make it available to all in the conference, but I >am not sure how to do so. >Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 If I'm not mistaken, there are several versions of Pc-Lock. Version 1.0 is suppose to have some bugs in it that sometimes changes your partition table, thereby nuking most/all of your files. Version 1.1 corrects this problem. Version 3.0 (which is NOT shareware) allows you to have up to 5 passwords (1 administrator and 4 user). Based on which password you enter, you can have your AUTOEXEC.BAT branch to different routines. We have installed it on 31 IBM-PCs w/20M hd, EGA, 640K... and have had (almost) no problems. On 2 machines, we are unable to install it (I think that its a h-disk problem, not related to Pc-Lock). Only the tech people (with a user password 4 set just for them) and the lab supervisor in charge of updating software have access to the hard-drive itself. Since Pc-Lock will allow you to permantly "turn off" CNTL-BRK, your favorite menu program will see to it that students can not run files from drive A or B, thereby reducing the chance that the computer will pick up a nasty bug. James Ford ========================================================================= Date: Wed, 31 Aug 88 14:22:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David D. Grisham" Subject: University Standards As the "virus expert" (ha ha) I have been asked to establish Univ. standards for virus Protection-Detection. Would anyone who has set policies, procedures, etc. please share them? Most importantly, I need to evaluate & purchase Anti-Viral software, any recommendations or experiences on this subject would be greatly appreciated. Thanks in advance. I will post a synopsis of your mail and my findings. Dave ****************************************************************************** * * * Dave Grisham * * Senior Staff Consultant Phone (505) 277-8148 * * Information Resource Center * * Computer & Information Resources & Technology * * University of New Mexico USENET DAVE@UNMA.UNM.EDU * * Albuquerque, New Mexico 87131 BITNET DAVE@UNMB * * * ****************************************************************************** ========================================================================= Date: Wed, 31 Aug 88 15:34:59 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: University Standards In-Reply-To: Your message of Wed, 31 Aug 88 14:22:00 MDT Dave, On your letter asking about virus protection/detection/prevention -- what machines (i.e. IBMs Macs) are you looking at? Also, what kind of money are you planning on spending? As they say, the best is going to cost you big money. Frank ========================================================================= Date: Thu, 1 Sep 88 00:12:03 +0300 Reply-To: gany@taurus Sender: Virus Discussion List Comments: If you have trouble reaching this host as MATH.Tau.Ac.IL Please use the old address: user@taurus.BITNET From: GANY@TAURUS Subject: Flushot's credibility Hi gang, I just read Ross's warning about flutxt4.com . Somehow he sounds very scared, is it because Flushot 3+ (whatever version) isn't good enough to cope with the beast ?? YG ========================================================================= Date: Wed, 31 Aug 88 17:51:35 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Flushot's Credibilty!!! >Hi gang, >I just read Ross's warning about flutxt4.com . >Somehow he sounds very scared, is it because Flushot 3+ (whatever n) >versio isn't good enough to cope with the beast ?? > >YG That Flushot4 warning is half a year old. In the meantime, Ross Greenberg has released FluShot Plus (The "Plus" is used so that people would not continue to use the corrupted FluShot that was spreading around) versions 1.0, 1.2, 1.4 (1.3 does not exists; Ross is superstitous). I think that before you start rehashing FluShot as you are doing right now, you should look at FluShot Plus 1.4. The only errors that I have heard about or encountered are with the CMOS memory reads while reading certain floppy disks, and the fact that certain editors (BRIEF?!?) can edit protected files without any type of TSR warning. David A. Bader DAB3@LEHIGH ========================================================================= Date: Wed, 31 Aug 88 16:59:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Deba Patnaik Subject: Re: University Standards In-Reply-To: Message received on Wed, 31 Aug 88 16:45:44 EDT PC WEEK reports two organizations providing information on combatting the spread of virus software. They are: Software Development Council, Box-61031, Palo Alto, CA 94306 (415) 854-7219 Computer Virus Industry Association, 4423 Cheeny St, Santa Clara, CA (408) 988-3832 Does anyone know, what these organizations provide ? Deba Patnaik Center of Marine Biotechnology/Maryland Biotechnology Institute ========================================================================= Date: Wed, 31 Aug 88 12:53:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: KEENAN@UNCAMULT Subject: Re: Virus Arguements Hit Home In-Reply-To: Message of 30 Aug 88 11:07 MDT from "Frank San Miguel" I believe there is a general principle in insurance that, except where otherwiseprovided (such as a prizefighters hands being damaged in a bar fight..) the insurance company will refuse to pay if someone else can be held at fault (i.e. sued.) This came up here in Calgary lately with regard to some flooding which was aggravated by cowboy bus_drivers causing tidal waves through the affected communities...insurance refused to pay for the damage since it wasn't a "natural event." ========================================================================= Date: Wed, 31 Aug 88 18:49:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bill MacDonald Subject: Dup Mail I recieved the same mail twice from David A. Bader DAB3@lehigh ========================================================================= Date: Wed, 31 Aug 88 19:02:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Glen Matthews In-Reply-To: In reply to your message of TUE 30 AUG 1988 13:13:36 EDT Sorry about that. CACM stands for: Communications of the Assocation for Computing Machinery. The association's name belies its function; it's actually an association for PEOPLE who use computing machinery. (I never could figure out how someone could arrive at a name like that.) Glen Matthews X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X