========================================================================= Date: Sat, 15 Oct 88 16:20:00 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Danny Schwendener Subject: Re: Networks >>None of the Mac viruses now known can actively transfer across a network. >That seems strange to me. It seems that in any system, if a file is >writable, then a virus can write to it. Of course, if read-only >status can be enforced, then infection of the file can be prevented. We're speaking about the *currently known* mac viruses. Theyinfect either system files on the boot-up disk or/and applications when these are invoked. No doubt that you can write a virus that detects all volumes on line and infects part or all of the applications on these volumes (as long as they're not write-protected), but apparently no one has done this yet (knock on wood). -- Danny +-----------------------------------------------------------------------+ | Mail : Danny Schwendener, ETH Macintosh Support Center | | Swiss Federal Institute of Technology, CH-8092 Zuerich | | Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman | | Ean : macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+ ========================================================================= Date: Fri, 14 Oct 88 23:42:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: Penalties for Hackers >If, as in most places I've been, you can't spare the >effort, I'd still say that a first offence ought to result >in forced restitution and a real short chain. Class this as >stupidity, rather than malice. A second offence is evidence >of both stupidity AND severe mental defectiveness, >and ought to get a body bounced as high as you can >get them. > Eristic (EAE114@URIMVS) sounds like most places you've been are a lot more lenient than our place over here.... We just had a nasty bit of business where a student consultant either wrote a VMS trojan .COM file or showed a user how to write a .COM file, which was then sent around the system and managed to zap a few accounts before the file was discovered. No short chain for him.....he was fired faster than a speeding bullet.. It turned out that he didn't really DO anything in terms of writing or distributing the beast, but just the mere fact that his name came up a few times in the resulting inquisition was enough to get him canned... ========================================================================= Date: Sun, 16 Oct 88 15:51:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Peter D. Junger" Subject: Isn't "hacker" an honorific? I find it troublesome--and perhaps even a subject that has ethical implifications--that in the current discussion about the student who wrote a virus that got away, the term "hacker" is used as if it were some sort of label applied to a class of criminals, like the label "burglar". As I understood the original use of the term, it described those who make computers do what they they want the silly machines to do, as opposed to "loosers" who can only do what the machine (and its administrators and programmers) lets them do. Admittedly some HACKERS want to do undesirable things with their machines, but others write EMACS. Considering the fact that the virus in question was written in some sort of job control language and that it blew up in its author's face--he sounds more like a looser than a hacker. Users often want to do undesirable things to0. The use of the word "hacker" on this list thus seems to me a rather unpleasent example of group defamation. I suspect that part of the dislike for hackers that is expressed within the computer community is based, not on the fact that some hacks are nasty, but on the fact that hackers are free, i.e., out of control, i.e., out of the control of those who don't like people to be free. On the other hand, perhaps there is no ethical issue at all. Perhaps the word "hacker" has come to be a pejorative because words change their meanings over time, and that is all there is to it. After all, I my old highschool geometry teacher worked during the summer as a computer. Words do change. Peter Junger JUNGER@CWRU ========================================================================= Date: Fri, 14 Oct 88 18:54:00 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Sakabu Subject: Re: Hackers as security consultants The term "Hacker" now days has a totally different meaning than it did in the not-so-old days. The term I prefer to use for these turkeys is "cracker" not "Hacker". Well, there's my two cents. Thanks for not flaming me. --Ed > On the idea that hackers can and. or should be > hired as security consultants: > > In the not-so-old days when competent computer people > were hard to come by, It made sense to hire hackers > to help your security effort. The extra effort to > control them and the leap of faith required were made > worthwhile, because of the limited pool of talent > available. I do not think this is true anymore. > > It IS still true that hackers may be an important > source of talent, IF you have the resources to control > them, or a loose enough situation to prevent severe dammage. > If, as in most places I've been, you can't spare the > effort, I'd still say that a first offence ought to result > in forced restitution and a real short chain. Class this as > stupidity, rather than malice. A second offence is evidence > of both stupidity AND severe mental defectiveness, > and ought to get a body bounced as high as you can > get them. > Eristic (EAE114@URIMVS) ========================================================================= Date: Sun, 16 Oct 88 10:41:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Re: networks In-Reply-To: Message received on Fri, 14 Oct 88 18:49:33 EDT >> The (c) Brain virus called INT 26h directly, so it can't infect >>a network drive. This is the blessing/curse of machine dependent code! >> >>Erik Sherk >> >Interesting, however the virus can call the same routines that the DOS >server does. Thus, only if the server file is read-only AT THAT END >can you be sure that a virus cannot infect the server. If code at the >user end can write to the server, in any way, then a virus code can do >the same. Read-only files, protected at the server end where the >virus is assumed not to reside, are protected. > >(as an aside, we have moved the discussion from MAC to DOS here, we >also are discussing what a virus can do, not what known viruses >actually do. I for one am discussing potential and not existing >threats.) Your point is well taken. Here at U of Maryland we are very concerned with network server security. That is why we are trying to implement an NFS server to serve all of the three types of microcomputers in our public workstation rooms. A Network File System offers Unix style security for our users programs and data ( i.e. a user can run a program from a execute only disk and still have read/write access to his data files on the server). It seems to me, that you are against any write access to a server because of the potential for a virus to infect public programs.:-) Do you think that, because of a *potential* threat, we should limit the functionality of our servers? Erik Sherk Workstation Programmer, Computer Science Center University of Maryland ========================================================================= Date: Sat, 15 Oct 88 02:06:30 +0200 Reply-To: gany@taurus Sender: Virus Discussion List Comments: If you have trouble reaching this host as MATH.Tau.Ac.IL Please use the old address: user@taurus.BITNET From: GANY@TAURUS Subject: Re : Ex hackers I think we are getting carried away with this argument about employing ex-hackers so i will try to make this short. 1. I have a friend who used to hack around with our university's giant CDC CYBER a few years ago when we were both in high-school. We had access to the computer as we were doing a form of "graduation paper" for school. That person was caught messing around with resources he had no access to (like accounts he used to "borrow"). He was reported to school and was punished in the form of "not to lay foot on the computer building as long as he in college". This person is working up to this date as consultant on the same computer site (and believe me, he is good at what he is doing (advising on languages and operating system). Just don't say they (the computer operators) have short memory - they knew exactly who they were hiring. 2. I remember myself trying to hack around with the same computer ("with a little help from my friends") not always doing honest things. Today i am working next door as member of the system staff on a UNIX system on the same university and also have privileged access to that CDC. So, to the main point - the reason some of hackers do "bad" things is because they are bounded and they like the game of trying to loosen the tights. (i hope my English is right) Give them enough space (i.e privileges) and suddenly they stop hacking and start acting like "grownups" and do useful things. Now don't get me wrong - IN NO WAY YOU SHOULD ENCOURAGE HACKING !!. But when it comes to hiring a person to a job requiring "privileged access", the fact he used to be a hacker should NOT misqualify him automaticaly ! Don't judge a book by it's cover. I'm sure most system administrators have enough brains to smell a trouble maker in few days - before he is given enough privileges. Sorry for the length of this posting - it makes me furious to hear opinions like "once a hacker always a hacker" as if hacker means thief. I'm sure many of you reading this posting used to be hackers too, so let's concentrate in more important things like how to prevent unwanted penetrations to systems (which ofcourse includes trojan-horses). thanks for listening. Yair Gany Tel Aviv University - School of Mathematics and Computer Science. ========================================================================= Date: Sun, 16 Oct 88 23:29:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Prof Arthur I. Larky" Subject: I am proud to be a hacker! I've been a 'hacker' for 32 years. I wrote programs for Lehigh computers to do things I thought needed doing even though no one asked for them. I don't attack other people's computers because I don't want people attacking mine. (Fred Cohen attacked one of mine and I dumped him off of it immediately.) Sometimes I attack one of my own computers, but usually by accident. Lets find some other term for the malicious ones and keep 'hacker' for the guy who likes to see what useful things he can do with a computer. I wonder how you get someone to pay a $2300 fine without going to court? Also, would he have paid if he knew he was going to be thrown out of school? The fact that the school could re-consider and up the penalties proves that universities are not bound by such minor legalities as double jeopardy. Art ========================================================================= Date: Sun, 16 Oct 88 23:58:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: I am proud to be a hacker! > Lets find some other term for the malicious ones and keep 'hacker' >for the guy who likes to see what useful things he can do with a >computer. Oftentimes, a student who has a reputation for being a "hacker," or experienced computer user, might be charged with computer mischief merely for being labelled as such, even though s/he might not be the type of person who would ever do anything maliciously. David - "It could happen to me. It could happen to you." ========================================================================= Date: Mon, 17 Oct 88 00:34:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Dimitri Vulis Please... stop using the word 'hacker' if you don't know what it means... Users who maliciously destroy data, plant viruses, Trojan horses, etc are usually too dumb/ignorant to qualify as hackers. I had XMAS EXEC sent to my CMS account last winter, and I took the usual precaution of _looking_ at it before running it. It was _immediately_ obvious to be what it was supposed to do (i.e. display a XMAS tree and send copies of itself to all the folks in my NAMES file), so I did not run it, and I sent a stern warning to the person who sent it to me; however, it was written in such an amaterurish matter that it really made me puke. It is my understanding that _most_ viri, Trojans, etc are written by children under 18 are primitive and full of bugs that render them less harmful than meant by their authors. A 'hacker' is, generally speaking, an anthusiastic systems programmer--- nothing less, nothing more. The media (flame=on) sometimes misuse this term to describe what really are phreaks and/or crackers. Well, one may follow this usage, and one may use the term 'virus' generically instead of 'Trojan horse' or 'time bomb' etc, and one will sound like one does not know what one is talking about, which is probably the case. (flame=off). Programming expertise and a malicious destruction of other people's data seldom coincide. Now, about employing 'hackers' (crackers) in computer centers: I think it's a real bad idea. A person caught snooping around other people's data (even w/o destroying anything) cannot be trusted with the power inherent in (almost) any systems support job. Even a lowly student consultant is in position to notice passwords being typed, for example. In the past (I mean real dark past, 10--15 years ago) there were so few knowledgeable users available that (school) DP people had to hire such folks as consultants etc because they picked up something about the system while snooping which they could pass on to othet users. Well, today the systems are (somewhat) easier to use, and the pool of knowledgeable users is much wider, so the cracker types can and should be blacklisted. Users caught trying to destroy other users' data or to interfere with the operation of the computer center ought to be punished in the most severe manner available. Some years ago I had some of my files erased by a sicko who was working for the computer center (a realy psychopath). I was not too happy about it, obviously. I think SUNY@Albany was completely right in kicking the butt of the loser who tried to launch a virus and could not do even that competently. It's too bad they could not put him to jail as well. They should also publicize the incident as widely as possible. Hopefully, this will make others like the student in question think twice before attempting to write something like this. Being lenient with system abusers generated a wrong kind of message --- that systen abuse is tolerated at this particular installation. -Dimitri Vulis -CUNY GC, Math department ========================================================================= Date: Sun, 16 Oct 88 13:47:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Policy on Informants In-Reply-To: Message of 11 Oct 88 16:14 EDT from "Mark F. Haven" >The punishment of the Albany student was way out of line - a 2K fine >and booting him out of school for a dumb mistake which he >immediately tried to rectify? It is difficult for me to assess the appropriateness of the punishment. I have no difficulty at all with the $2380. As I understand the original submission, this was restitution, not a fine. It is well settled in common law that anyone who plays with dangerous things is liable to others for any damage that he causes. As to probation, as recommended by the Student Committee on Conduct, and expulsion, as granted by the authorities on appeal from the system administrators, it seems to me that there is some data missing. I would like to know what rules, besides the obvious social ones against playing with dangerous substances in crowded places, were violated. Under what explicit rules or agreements did the student use the system? What sanctions were provided in those rules or agreements? If the punishment was imposed "ex post facto," then I have some little sympathy. However, if the student knowingly put himself in danger of a published sanction, then I have none at all. Participation in an academic environment carries with it certain responsibilites. These include the responsibility not to "blot another's copy book," use his work without proper attribution, and not to tamper with his experiments. Because it is often difficult to understand how these rules apply in a computer environment, I think that it behooves a self-interested academic community to put its members on explicit notice. In order to enforce their interest, such a community must be prepared to shun, ostracize, and expel those who violate the notices. While I can sympathize with one who unintentionality offends in the absence of such explicit notice, I do not necessarily believe that the failure to give notice about every possible kind of offense compromises the right of the community to invoke sanctions for offenses that fall under the broad definitions of unacceptable behavior. ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) Ernst & Whinney ARPA: WHMurray @ DOCKMASTER 2000 National City Center MCI-Mail: 315-8580 Cleveland, Ohio 44114 TELEX: 6503158580 FAX: 203-966-8612 21 Locust Avenue, Suite 2D Compu-Serve: 75126,1722 New Canaan, Connecticut 06840 TELEMAIL: WH.MURRAY/EWINET.USA ========================================================================= Date: Mon, 17 Oct 88 07:34:38 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was JANET@BRIGHTON.AC.UK From: JANET@VMS.BRIGHTON.AC.UK Subject: Terminology problems & Vote call Dimitri Vulis (17 Oct 88 00:34:00 EST) writes... > Please... stop using the word 'hacker' if you don't know what it means.. In the UK, a minority of people would know of the term "cracker". A book (third issue came out this year) called "The Hacker's Handbook", on the subject of connecting to other people's systems and logging in, only makes it more confusing. I saw a list of many terms used in the USA of which (fortunately) few have alternative meanings in the UK. Outside the specialist terms from MIT etc, onto mundane things... a (US) bus is a (UK) coach [eg Greyhound], and a (Can) pavement is a (UK) road. I was *very* confused by that until I found a (Can) sidewalk is a (UK) pavement. "Get on the pavement" could be dangerous! Suggestions anyone? > Now, about employing 'hackers' (crackers) in computer centers: > I think it's a real bad idea. Can anyone suggest a means by which we can take a vote? (Must be able to receive votes by MAIL not just SEND (n/a worldwide)). I'm not sure [having commented on 'Informants'] that CONTINUING a 50:50 (??) matter is of value on any list... Must say I found all views of value. Peter Morgan, Computer Centre, Brighton Poly. pgm@vms.brigton.ac.uk or pgm%vms.brighton.ac.uk@cunyvm.cuny.edu [ Decision please, from On High -- Ken... LUKEN@LEHIIBM1 ] ========================================================================= Date: Mon, 17 Oct 88 09:17:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Terminology problems & Vote call In-Reply-To: Your message of Mon, 17 Oct 88 07:34:38 GMT > Can anyone suggest a means by which we can take a vote? (Must be able > to receive votes by MAIL not just SEND (n/a worldwide)). I'm not sure > [having commented on 'Informants'] that CONTINUING a 50:50 (??) matter > is of value on any list... Must say I found all views of value. A couple of related things... First, the arguments (both for and against) about hiring "hackers" have gone on for quite some time now with both sides making very interesting points. I suggest that they be continued on the ETHICS-L list, as suggested by a reader, however. The same goes for the arguments about the definition/history of the term "hacker"; interesting as it is, it doesn't really have much of a place here. Both things can be argued ad infinitum with neither side claiming a decisive victory. Thanks in advance for everyone's cooperation on this matter. Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! ========================================================================= Date: Mon, 17 Oct 88 09:24:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark F. Haven" Subject: First, let's kill the teachers. >Date: Fri, 14 Oct 88 23:42:00 EST >From: ACS045@GMUVAX >Subject: Penalties for Hackers > >sounds like most places you've been are a lot more lenient than our place > over here.... >We just had a nasty bit of business where a student consultant either wrote >a VMS trojan .COM file or showed a user how to write a .COM file, which was >then sent around the system and managed to zap a few accounts before the >file was discovered. > >No short chain for him.....he was fired faster than a speeding bullet.. >It turned out that he didn't really DO anything in terms of writing or >distributing the beast, but just the mere fact that his name came up a >few times in the resulting inquisition was enough to get him canned... Please tell us there's more to this than what you said, in particular "he didn't really do anything but just the mere fact that his name came up a few times". On that basis you would be firing your top and most accessible instructors who provide information in the most understandable way. I've taught hundreds of people how to write in various languages. Some of them I've spent a lot of time helping. Are you saying that if one of them wrote a destrustive program and then told you I taught him a language, and several others said I often answered such questions, then I'd be out like a speeding bullet? (In such a case I guarantee my lawyer would beat up your lawyer.) ========================================================================= Date: Mon, 17 Oct 88 10:58:02 edt Reply-To: Virus Discussion List Sender: Virus Discussion List From: GATEH@CONNCOLL Subject: SET VIRUS-L REPRO SET VIRUS-L REPRO ========================================================================= Date: Mon, 17 Oct 88 11:27:06 edt Reply-To: Virus Discussion List Sender: Virus Discussion List From: GATEH@CONNCOLL Subject: a vote ========================================================================= Date: Mon, 17 Oct 88 09:06:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GORDON_A%CUBLDR@VAXF.COLORADO.EDU Subject: hackers Just a comment...weren't the original founders of APPLE Computers considered to be hackers? This isn't a flame but a commentary. One can learn a lot by poking around programs etc., perhaps a lot more than in school. Like every- thing else there are "good" ones and "bad" ones Allen Gordon Univ Colorado ========================================================================= Date: Mon, 17 Oct 88 11:30:44 edt Reply-To: Virus Discussion List Sender: Virus Discussion List From: GATEH@CONNCOLL Subject: another attempt at voting I vote to move the hacker/hire-fire/definition-genealogy discussions to another list (perhaps ETHICS-L, as other folks have mentioned), and reserve this list for more technical topics. that'll be two cents Gregg TeHennepe | BITNET: gateh@conncoll Minicomputer Specialist | Phone: (203) 447-7681 Academic Computing and User Services Connecticut College New London, CT ========================================================================= Date: Mon, 17 Oct 88 10:18:44 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: networks In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Oct 16, 88 at 10:41 am >> Read-only files, protected at the server end where the >>virus is assumed not to reside, are protected. >> > It seems to me, that you are against any write access to a server >because of the potential for a virus to infect public programs.:-) Do > >you think that, because of a *potential* threat, we should limit the >functionality of our servers? > >Erik Sherk I have no desire to limit systems, I am interested only in becoming aware (and in helping others to become aware) of the threat and what we will have to do to protect against it. Thus far it seems to me that: No conventional MS-DOS or MAC stand alone installation that accepts executable files from another system is safe. (The basic failure is that there is no forbidden code area that any user program cannot penetrate in either of these designes. Thus, anything that the virus writer wants to do, s/he can do.) No system (whatever its form) that permits a user to write executable code for another user to execute is safe if the later executer (pardon the english) is a system level user or has serious files to protect. The best safety is in the form of a lock with a known form but an unknown key. (There is no way to permanently hide the form of the lock. The design of the Yale lock is known to many. The shape of the key however, can be hidden from the perp ((as we say in Hill Street)) and can be changed at will.) Finally, I know of no existing virii that do the nasty things that the above imply. I know that some will come though. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Mon, 17 Oct 88 13:08:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Tom O'Toole - HCF Subject: Please stop this drivel! This same arguement (hackers... degenerating into "what is a hacker" etc...) reared it's ugly head on info-vax a while ago and took forever to die. The moderator of this list has requested that the discussion be moved to another list, yet the messages are still coming. And PLEASE drop the notion of a "vote" immediately. Let's get on with it, 'cuz we're wasting our time. Thanks... Tom O'Toole JHUVMS system programmer Homewood Computing Facilities Johns Hopkins University Balto. Md. 21218 ecf_stbo@jhuvms.bitnet ========================================================================= Date: Mon, 17 Oct 88 13:59:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: networks Len Levine lists some problems that allow viruses to propogate: > ...there is no forbidden code area that any user program cannot > penetrate... > ...permits a user to write executable > code for another user to execute ... if the later executer > (pardon the english) is a system level user or has serious files to > protect. I would suggest that the first of these things is not at all necessary for a virus to spread and to do damage, and that the second of these things is a necessary feature of any real system at all (there are no systems where no one executes any code that was written by someone else, and every serious user has at least one serious file). Because of these thoughts, I would object (again) to any suggestion that MS-DOS and MAC systems are more vulnerable to viruses than are any other systems. How about changing the sentence in question to read: > No conventional computer installation that accepts > executable files from another system is safe. Forgive me if I harp on this, but I'm constantly reading and hearing how it's just these silly micros that are vulnerable to viruses, and that as soon as they get to be more like mainframes, we'll be safe. It's not true... On the otherhand, I agree wholeheartedly that known-form locks with unknown keys are a very promising approach to all this. DC ========================================================================= Date: Mon, 17 Oct 88 15:18:22 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Haller" Subject: Re: Conference Outline/Agenda In-Reply-To: Message of Wed, 5 Oct 88 12:33:12 EDT from >Because I cannot get mail through to all conference attendies, I >will put it up here. There is no need to read this if you don't >wish to. > > >Outline of Conference >--------------------- > >I believe everyone has already made flight arrangements, if anyone >needs help, please contact me (215) 865-3904. I have sent out a >number of packets to people attending, some haven't gone out yet, >because I'm not sure those people are coming. > >For those of you who don't have hotels yet, directly across from the >ABE airport is the Sheraton Jetport Lehigh Valley (Phone: >215-266-1000). The conference will not be too far from the airport, >so this should be a good place to stay. The prices here are a bit >higher than some of the other hotels for those of you on tight >budgets. Nearby the airport is an Econolodge (Believe it or not, its >not a bad hotel! Phone: 215-867-8681), as well as a Macintosh Inn >(Good for those of you who like Apple Equipment, I cannot find the >phone number for this, I'm still looking), and the Red Roof Inn (I >have heard a number of complaints about this hotel, so you may want to >avoid it. It looks nice from the outside, but rumors pervade. >215-264-5404). > >Friday, Oct 21: > > Approxamately half of those coming to the conference will > be there on Friday. Introductions will be in order, we > will hand out copies of the book (although copies will be > available to those coming Saturday). We will be holding > this introduction at one of my offices. This will be > held at 701 Main Street in Hellertown (a suburb of Bethlehem). > > Those of you who have gotten directions in the mail have > gotten a small map of the area, so it will be easier for > you to find things, but for those of you who might not > get mail in time: > > Directions from Sheraton Jetport, follow Airport Rd South > to Rt 22 East. Take the next exit off 22 onto Rt 378 South. > Follow Rt 378 to the Hill to Hill Bridge (a large old structure > where the road narrows, its the ONLY large bridge on the road > so it is recognizable.). Bear left off the bridge onto 3rd > Street of South Bethlehem (Its the old section of town, so > please excuse its appearance, its undergoing revitalization). > At any of the first four traffic lights, make a right hand turn > and a left on the next major road, 4th st. Follow 4th street > for about 4 miles, the road will curve to the right twice. > Eventually, 4th street will become Main Street, Hellertown. > Our office is a Century 21 Keim Realtors, but its new so I > doubt we'll have a freestanding sign by the time of the conference. > The easiest way to recognize the building: You will see a > new highway being constructed OVER Main Street; this is the new > I78 project that's getting so much national attention. We > are DIRECTLY across from the furthest exit, at a stoplight > which has not been turned on yet. We are between Gutshall > Chevy and Potts Doggie Shop. > > 6:00 PM - 7:00 PM - Introductions with Coffee and Snacks, > handing out of book. > > 7:00 PM - 8:30 PM - What Are Viruses? What are viruses, > what forms do they take, including boot sector viruses, .EXE > viruses, Unix and VMS viruses, and a look at some of the > new MacIntosh woes. Reviewing and outlining the ways the > Lehigh, Brain, Christmas and Israeli viruses worked. Also > comparing the Brain and Yale Viruses. > > 8:30 PM - 9:00 PM - Questions > > 9:00 PM - Morning - Discussion, adjourning to a local bar or > restraunt to talk. > >Saturday, Oct 22: > > Much easier directions, we'll be holding it at WALPS Restaurant > at the corner of Airport Road and Union Blvd for ease. Simply > follow Airport Rd South for about 2 1/2 miles to Union Blvd, > Walps will be on your left. > > 10:00 AM - 11:00 AM - Coffee will be served, "Tracking Computer > Viruses" will be the topic covering how some groups track computer > viruses, and some examples. > > 11:00 AM - 12:00 Noon - A look at "Computer Tape Worms", their > uses, how they can cause damage, and why they might be the > virus of the future. The damage they can cause. How we'll have > to stop damaging ones. > > 12:00 PM - 1:00 PM - Break for lunch. People are welcome to > stay and eat lunch at Walps, but Union Blvd is a fast food lovers > paradise, it also contains a major AT&T research facility. > People can discuss what's been said so far. > > 1:00 PM - 2:00 PM - Computer Security Concerns I. Are schools in > real danger of losing research? How can we protect our businesses > and colleges from the dangers? > > 2:00 PM - 3:00 PM - Computer Security Concerns II. System Integrety > in large networked environments and mainframes. Government security > designs, banking systems and virus defense designs. Included > will be Limited Transitivity models, Limited Functionality concerns, > Bell-LaPadula Model, the Biba Model, Complexity Based Functionality, > and the Separation Model. Future concerns will be discussed. > > We're going to break up early, although people are welcome to discuss > Computers and Security, I feel this lecture will provoke a lot of > conversation. You have time to wander and find dinner. > > >6:00 PM - 9:00 PM - Back in the Hellertown office, we will be holding > demonstrations. We will be demonstrating various viruses, including > a Unix virus, various anti-viral programs and hopefully a Worm program. > Again Coffee and snacks (baked cookies, brownies and so on) will > be provided. We will also at this time be having a panel discussion. > Questions will be fielded by a panel of anti-virus program writers. > > >Sunday, Oct. 23: > > 10:30 AM - 12:00 Noon - "Future Virus Concerns", closing up the > lecture on Computer Security, and open forum on ideas and questions. > > 12:00 Noon - 1:00 PM - Lunch > > 1:00 PM - 4:30 PM - Some controlled discussion, some open forum. > We'll be discussing possible protection schemes, reviewing some of > the ideas we've gone over, hopefully working on a new conference > some time next year in another part of the country, discussing the > possible dangers to the ATM networks and the dangers to tele- > communications. > >I think the main emphasis of this conference will be a pulling of ideas >and hopefully getting some people to meet and discuss problems face to >face rather than over a computer. > >Comments: > >University of Texas, I've had problems getting through to you, please >write me at LKK0@LEHIGH or call me at 215-865-3904. > >We'll have a price for the book some time in the next few days. > >People who haven't so far, please write me and tell me what day you >are coming in. > >Dennis Director, please call me. > >Also, a number of people mentioned that they would like directions to >Philadelphia to see the sights and so on. I'll be making full maps of >the Lehigh Valley Area, Pennsylvania and Philly available to you when >you get here. If you are coming early, I will mail them to you, >please let me know. If anyone wants to spend an hour and a half to >trek to New York City, I will try to get you some maps. > >Any questions??? Loren Keim > ========================================================================= Date: Mon, 17 Oct 88 16:13:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: MICHAEL LEE Subject: Re: Re: networks Someone mentioned the Yale lock. Can you explain more? It sounds interesting but I have no idea of what it entails. Mike Lee WASH Univerisity ST. LOUIS, MO ========================================================================= Date: Mon, 17 Oct 88 13:53:48 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark F. Haven" Subject: Another vote. I support Gregg TeHennepe's urge that we move this to ETHICS-L. Two reasons, first the traffic is voluminous and has to be sorted through by those interested in the more technical aspects of viruses, second ETHICS-L has been completely silent for months and is defined as the forum for just this kind of discussion, second and a half - this is getting boring but I feel the need to stay sub_ scribed to VIRUS-L for the technical stuff and the discussion on who is a "hacker", did the Albany student get too much or too little, etc. has gotten beaten to death (and boredom) already. Mark F. Haven Computer Specialist National Institutes of Health Bethesda, MD ========================================================================= Date: Mon, 17 Oct 88 11:33:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Grep the Peg Subject: Re: I am proud to be a hacker! In-Reply-To: Message of 16 Oct 88 22:58 MDT from "ZDABADE at VAX1.CC.LEHIGH.EDU Right on. I lost my account on the University of Calgary vaxes four times in my first year. Once because I used "rlogin" when I wasn't supposed to. Three other times because of unfounded "rumour". It seems the sysops fastest way to get me into his office was to turn off my account. I don't even think what I did classifies as hacking... ========================================================================= Date: Tue, 18 Oct 88 14:30:00 CET Reply-To: Virus Discussion List Sender: Virus Discussion List From: Helmut Waelder Subject: re: > From: GATEH@CONNCOLL > Subject: another attempt at voting > > I vote to move the hacker/hire-fire/definition-genealogy discussions to > another list (perhaps ETHICS-L, as other folks have mentioned), and > reserve this list for more technical topics. > > that'll be two cents > > > Gregg TeHennepe | BITNET: gateh@conncoll I agree with Gregg. This here should be a virus discussion list .... Helmut Waelder ========================================================================= Date: Tue, 18 Oct 88 10:11:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: EAE114@URIMVS Subject: Yale locks?? If I'm wrong, somebody correct me, but : The 'Yale lock' mentioned is not software, it's a physical lock, on a door. It was mentioned by way of analogy. ========================================================================= Date: Tue, 18 Oct 88 09:12:54 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: I am proud to be a hacker! In-Reply-To: Message from "Grep the Peg" of Oct 17, 88 at 11:33 am > >Right on. I lost my account on the University of Calgary vaxes four >times in my first year. Once because I used "rlogin" when I wasn't >supposed to. Three other times because of unfounded "rumour". It seems >the sysops fastest way to get me into his office was to turn off my >account. I don't even think what I did classifies as hacking... > Us liberals (card carrying etc.) often find that the punishment is supposed to follow conviction, not precede arrest. Well, enough of the democratic process, and enough of this. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 18 Oct 88 10:48:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Haller" Subject: Re: Another vote. In-Reply-To: Message of Mon, 17 Oct 88 13:53:48 EDT from >viruses, second ETHICS-L has been completely silent for months and ETHICS-L has been far from silent. Maybe you should resubscribe. Maybe some of the rest of you should subscribe. I'm enjoying the discussions and sharpening my sense of fairness/justice. On January 26, the host server became ETHICS-L@POLYGRAF (it had been UGA before). A reminder to others on the list: DO NOT SEND SUBSCRIPTION OR UNSUBSCRIPTION REQUESTS TO THE LIST unless you really want to make thousands of copies of a simple administrative request (and make yourself look dumb). The correct form is (assuming CMS, and that you do not know a list peer closer to you than POLYGRAF, wherever that is): TELL LISTSERV AT POLYGRAF SUB ETHICS-L your name Notice "AT" instead of "@", and of course substitute your name as you want it to appear in files sent to you, in place of "your name". You don't need to provide your Userid or node: the LISTSERV picks them up from the message envelope. ========================================================================= Date: Tue, 18 Oct 88 11:00:40 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Yale locks?? In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Oct 18, 88 at 10:11 am > >If I'm wrong, somebody correct me, but : >The 'Yale lock' mentioned is not software, it's a physical >lock, on a door. It was mentioned by way of analogy. > Right, I mentioned it. The Yale lock is the conventional lock like you find on most doors. Blueprints of that lock are easily available and any person who wants to know how it works can find out. However the height of a pin (which determines the depth of the notch in the key at that point), can only be found out by disassembling that lock, and thus, unless you can examine carefully an individual lock, you cannot guess at the key. My analogy was to a software protection package, in which the technique is known, but the code word, or the file name used is an individual choice on an individual machine. Anyone can know that I use a CRC protection algorythm, but what value I use for the CRC polynomial is known only to me. If that polynomial were public, a virus writer could easily build a virus that overlays part of a program, and changes just a byte or two to regenerate the same CRC. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 18 Oct 88 13:16:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Nilges Subject: Re: I am proud to be a hacker! In-Reply-To: Message of Mon, 17 Oct 88 11:33:00 MDT from Here's hoping that the virus scare does not result in a witch hunt (and wizard hunt) for suspicious programmers, reminiscent of Joe McCarthy's crusade against domestic Communism of the 1950s. I don't mean to imply that actual perpetrators of viruses should not be detected and punished...I only mean that due process should be the norm. For example, no virus case should lack expert witnesses in the form of systems programmers testifying for the defense and prosecution. Administrative proceedings should mimic court proceedings, and give suspected programmers something like due process. This is morally justified by the fact that loss of a computer account can be a serious matter for an individual; this is pragmatically justified since it will prevent some unnecessary lawsuits by aggrieved individuals. I don't agree that this thread should move to ETHICS-L. We are writing at the intersection of viruses and computer ethics. If the thread moves to ETHICS-L, then technicians uninterested in broad ethical issues, who have administrative responsibility for the condign punishment of virus hackers, will not have the benefit of the most current legal and ethical thinking on this matter. At most, the discussion should be cross-posted to both groups. It is true that it raises the noise level of this group considerably, but this group contained a high level of opinions, flames, and assorted nonsense before the advent of this hacker discussion. Edward Nilges ========================================================================= Date: Tue, 18 Oct 88 13:21:05 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: networks >Because of these thoughts, I would object (again) to any suggestion >that MS-DOS and MAC systems are more vulnerable to viruses >than are any other systems. How about changing the sentence >in question to read: > >> No conventional computer installation that accepts >> executable files from another system is safe. > >Forgive me if I harp on this, but I'm constantly reading and >hearing how it's just these silly micros that are vulnerable to >viruses, and that as soon as they get to be more like mainframes, >we'll be safe. It's not true... > I believe that the micros, at least those that have no user-system differentation, like the PC and MAC, but unlike the microvax do have an inherent flaw. With these simpler systems, any code can do anything. Any program can wipe out the disk, change any file etc. With the more sophisticated system (microvax), there is a user and a system space, and the only way to affect system space is to be running as a manager. Of course we have seen how these systems can be infected, but it requires a combination of errors, not just one, and the careful user/manager can watch the system and keep it safe. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 18 Oct 88 14:50:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Micros and others (was: Re: networks) Len Levine writes, about systems with more of the traditional protection mechanisms than most micros have: > Of course we have seen how these systems can be > infected, but it requires a combination of errors, not just one... I'm not sure I understand this. Any environment in which a user has normal write-access to executable files that other users have normal execute-access to can become thoroughly infected with a virus. It doesn't require any "errors" at all. Traditional protection mechanisms can certainly make it easier for people writing anti-virus software (because, for instance, if the anti-virus code is in a protected kernal, no user-run virus can turn it off), but by itself it doesn't do much to slow viruses down at all. In multi-user systems, where users typically use lots of "goodies" owned and updated by other users, I would maintain that a virus could spread *faster* than in a loosely-linked collection of single-user micros. See Fred Cohen's "Computer Viruses -- Theory and Experiments" for some confirmation of that... DC ========================================================================= Date: Tue, 18 Oct 88 13:08:51 MEX Reply-To: Virus Discussion List Sender: Virus Discussion List From: "J. Antonio D. Falcon Tena" <302581@VMTECMEX> Subject: Re: Yale locks?? In-Reply-To: Message of Tue, 18 Oct 88 10:11:00 EDT from Well I know yale locks are somo locks for doors,but maybe there have a new meaning,you know people use too much words,and use them with double or triple meaning. ========================================================================= Date: Tue, 18 Oct 88 12:56:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GORDON_A%CUBLDR@VAXF.COLORADO.EDU Subject: Re: I am proud to be a hacker! For what its worth, I am in agreement with Ed Nilges' discussion. To improve the signal to noise ratio and reduce the bandwagon effect, I am also in agree- the signal to noise ratio we ought to reduce the bandwagon effect. ========================================================================= Date: Tue, 18 Oct 88 15:51:30 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Micros and others (was: Re: networks) In-Reply-To: Message from "David M. Chess" of Oct 18, 88 at 2:50 pm >Len Levine writes, about systems with more of the traditional >protection mechanisms than most micros have: >> Of course we have seen how these systems can be >> infected, but it requires a combination of errors, not just one... > >I'm not sure I understand this. Any environment in which a user >has normal write-access to executable files that other users have >normal execute-access to can become thoroughly infected with a virus. >It doesn't require any "errors" at all. > > My point was that if you are working in an environment where you may log in as a user with limited priviledges, then you may establish one "user" and run as him while you are testing software. If the system will not permit writing to a file without updating its last used date, then you can see what files were affected, and if you cannot write outside of the test directory, then you may be sure that no changes occurred except in that area. When done, the space can be cleaned. In an unprotected system, no such security is possible. Of course, if the virus is clever enough, then you can continue to use it and then you may well find that the infection will reach as far as you can reach. That continued use is the "error" that I referred to above. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 18 Oct 88 18:07:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Dimitri Vulis This reminds me of an old Trojan Horse (not really a virus) which hit some school (I forget which) many many moons ago. A student wrote a program (some kind of useful tape utility) and submitted it to the systems people who liked it a lot, installed it amongpublic utilities and used it heavily. Now, the program, in addition to being a very useful tape utility, checked the date and user's privilegesevery time it was run; and when it was run by one of the priveleged usersafter the student graduated, it did some nasty things to the entire system. I guess there's a moral to it: if you can't trust the source of the program, no amount of testing with user privs will help. Re sysops locking out alleged hackers: if you use your mainframe account for course-related work, and you don't do anything illegal, and systems people interfere with your work (e.g. lock out your account, erase your files, etc) the proper procedure is to SUE. There was a case about 2 years ago when a CUNYVM operator nologged a student he did not like. The student sued (the operator, not CUNY) and recovered the tuition for his computer course plus computer usage fee plus damaged plus legal fees. In my opinion, a systems person who does things like this is no better than a virus (Trojan) writer. I conjecture that they have similar personality traits. -DV ========================================================================= Date: Tue, 18 Oct 88 17:46:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bernie Subject: Re: Micros and others (was: Re: networks) In-Reply-To: Message of 18 Oct 88 14:51 MDT from "Len Levine" I have to (really) disagree with the notion that mini's and larger are safer that MAC and PC types. Sure, with priv.s the system has a bit more security, but remember why that is so... Two people use the MAC in our classics lounge. Over 100 people use our Honeywell Multics machine on good days. On our suns and vaxes, the load isn't as much but there are over 200 students relying on these networked machines. Now the ration of two people losing a few files compared to two hundred people makes virus (especially worms) more dangerous on mainframes & mini's. Note 1: On the sun, priv.s don't mean too much. They are easy to bypass if the "true hacker" (no flames please) writes the virus. Most UNIX machines are designed to be open, thus the question "why have privs at all?" Note 2: Different tangent, when talking with WHMurray in private mail, he suggested that infact writing a virus is morally wrong. If ethical issues, like writing a virus don't belong here, I'm confused... Note 3: Using external devices for viral data is not a close topic, is it? I think it would be possible for things to hide in the laserwriter and imagewriter. Is it possible, using a smart device like a laserwriter, to actually have a destructive piece of code working seperate from the machine? Ie. it could mangle all printouts etc........ ========================================================================= Date: Tue, 18 Oct 88 21:19:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: RE:Peripherals "BSWIESER@UNCAMULT" writes: >Note 3: Using external devices for viral data is not a close topic, is it? >I think it would be possible for things to hide in the laserwriter and >imagewriter. Is it possible, using a smart device like a laserwriter, >to actually have a destructive piece of code working seperate from >the machine? Ie. it could mangle all printouts etc........ I don't know much about the internals of such things like laser printers, etc., but the idea seems sound...you could have one sitting off somewhere in memory , or maybe have it infect a driver that would trash font loads or refuse to accept them from the main machine,etc. People have done it with clock/calendar memory and even a first generation LaserJet is a lot smarter than that, so why not peripherals?? Why even limit it to printers???...how 'bout a modem??---We just got a whole bunch of new modems that have NO DIP switches, its all programmed from the software....sounds like prime breeding ground to me!...theres got to be enough memory in there to copy a whole command set which means there might also be enough to house a virus. Maybe something to echo a character or hangup or something every x # of bytes transferred. I don't claim to be a hardware expert, so pardon me if I screwed up and keep your flame thrower holstered.. ------------ Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source. "Ahh...the keyboard, how quaint!" ========================================================================= Date: Tue, 18 Oct 88 23:28:23 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: Re: peripherals Most peripherals, particularly modems, provide no code segment space for host writing; printers and some modems allow the host to install 'data' on them. The nature of the data used for these peripherals -- fonts, protocols, et al. -- is not rich enough to provide for self-replicating code, or even damaging code. In general, the worst a program could do with a laser printer is install a bad font, which would be stomped if a good font got loaded on top of it. With a modem, the host could define a bad protocol; this also would be temporary. While there may be peripherals where virus infection is possible, they are few and far between, from what I've seen. (Try infecting your accounting package with a data file. Not easy; usually impossible.) Drivers, on the other hand, can be infected, but this occurs on the host machine, not on the peripheral. - Jeff Ogata ========================================================================= Date: Tue, 18 Oct 88 22:06:00 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: portal!cup.portal.com!dan-hankins@SUN.COM Subject: Infected peripherals Jefferson Ogata writes: >The nature of the data used for these peripherals -- fonts, protocols, et >al. -- is not rich enough to provide for self-replicating code, or even >damaging code. In general, the worst a program could do with a laser >printer is install a bad font, which would be stomped if a good font got >loaded on top of it. The Apple LaserWriter uses PostScript. PostScript is a complete programming language. The LaserWriter has a *significant* amount of memory on board, like a meg or two (I seem to remember it being a meg when I worked with one in 1986). I can very easily imagine a virus written in PostScript infecting a LaserWriter. Dan Hankins ========================================================================= Date: Tue, 18 Oct 88 21:01:29 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: portal!cup.portal.com!dan-hankins@SUN.COM Subject: Are so-called protected systems protected against viruses? In-Reply-To: Message from "Len Levine" of Tue, 18 Oct 88 15:51:30 CDT In article <8810182114.AA16629@Sun.COM> Len Levine writes: >My point was that if you are working in an environment where you may >log in as a user with limited priviledges, then you may establish one >"user" and run as him while you are testing software. If the system >will not permit writing to a file without updating its last used date, >then you can see what files were affected, and if you cannot write >outside of the test directory, then you may be sure that no changes >occurred except in that area. > >When done, the space can be cleaned. > >In an unprotected system, no such security is possible. Wrong. On an unprotected system (i.e. single-user micro) one does this: 1. Archive the hard file or write-protect it (physically disconnect it from the system if necessary). 2. Put the suspect program on a *copy* of one of your working disks. 3. Run the program as much as you want. 4. Compare the disk copy to the original. 5. Compare the hard file archive to the current contents, if practical. 6. If any files have been modified that should not have been, then you have a virus (or a buggy program). This is actually *more* secure than the multiuser scenario you described. In your scenario a virus could be sensitive to restricted environments and not do anything nasty until run in a 'target-rich' environment. In mine it is running on what appears to be an ordinary working system. My scheme is beatable also, in several ways. But the user privs and suchlike do *not* give the protected multi-user system more security than the unprotected single-user variety. Dan Hankins ========================================================================= Date: Tue, 18 Oct 88 23:56:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: KEENAN@UNCAMULT Subject: Re: peripherals In-Reply-To: Message of 18 Oct 88 21:28 MDT from "me! Jefferson Ogata" Mainframe peripherals often have a very rich instruction set. As an example, tape drives are firmware-controlled and are basically computers, hence indeed subject to viral infection. We had a case once in which we lost the firmware in a tape drive and it kept a $3M computer off the air until we figured out how to put the firmware back in (via a card reader of all things...) so the loss of a peripheral in some cases could be quite serious. ========================================================================= Date: Wed, 19 Oct 88 02:32:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: Re:Infected Peripherals >From: portal!cup.portal.com!dan-hankins@SUN.COM >Subject: Infected peripherals >To: Steve Okay >Jefferson Ogata writes: >>The nature of the data used for these peripherals -- fonts, protocols, et >>al. -- is not rich enough to provide for self-replicating code, or even >>damaging code. In general, the worst a program could do with a laser >>printer is install a bad font, which would be stomped if a good font got >>loaded on top of it. > The Apple LaserWriter uses PostScript. PostScript is a complete >programming language. The LaserWriter has a *significant* amount of memory >on board, like a meg or two (I seem to remember it being a meg when I >worked with one in 1986). I can very easily imagine a virus written in >PostScript infecting a LaserWriter. > > >Dan Hankins Which was sort of my original point, particularily with regards to laser printers. I'm a big TeX and LaTeX nut myself and it gobbles memory for breakfast, and since the peripheral is the point here, PC or mainframe isn't really that much of an issue. So, not only do you have a big huge chunk of memory, but you've got something thats actually portable too...e.g. if you're writing it in something like TeX or Postscript, you've got something that can live in both a PC and multi-user environment, since the original code is based on a standardized version(This is true at least w/ TeX...I've used an AT to TeX out files when our VAX's LN03 was down of the software it was programmed in. Hows that for migration possibilities??? As for wiping it out on the next font load, don't most lasers have a chunk of memory reserved specifically for default or standard fonts that are always available, even when not switched on??? ------ Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source. "Ahhh...the keyboard, how quaint!'' ========================================================================= Date: Wed, 19 Oct 88 02:57:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: Re:Peripherals >From: KEENAN@UNCAMULT >Mainframe peripherals often have a very rich instruction set. As an >example, tape drives are firmware-controlled and are basically >computers, hence indeed subject to viral infection. We had a case once >in which we lost the firmware in a tape drive and it kept a $3M computer >off the air until we figured out how to put the firmware back in (via a >card reader of all things...) so the loss of a peripheral in some cases >could be quite serious. You don't even need a mainframe, or even a large PC to be able to infect a peripheral. All it takes is a C-64. The 1541 disk drive had a bank of 4k of RAM and its own 6502. One method of copy protection used to be to write a small part of the protection scheme into that area, and then have the loader check for it, if it wasn't there, it'd assume a copy and freeze up. A little off the track there, but nevertheless a good example of what you can do with a little space and some clever programming. ------ Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source "Ahhh....the keyboard..how quaint'' ========================================================================= Date: Wed, 19 Oct 88 09:54:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Infecting a LaserWriter (was: Infected Peripherals) In-Reply-To: Message of Wed, 19 Oct 88 02:32:00 EST from LaserWriter users should remember that the LaserPrep file is downloaded to the LaserWriter prior to any printing. It would be possible to install a Trojan Horse in this code quite easily. With the new LaserWriter NTX, it might be possible to store this code on the machine's hard drive. Anyone know whether this is possible? As far as a virus, however, you would have to have a file-access mechanism in place to actually spread this virus back from the LaserWriter to the host machine. On top of this, the virus would need to be able to find out what kind of machine it is trying to infect. Does AppleTalk have such a call? In general, IMHO, I think you might have to watch out for Trojan PostScript, but probably not viral PostScript. Are there any AppleTalk aficionados or PostScript hackers out there who can tell us more? --- Joe M. ========================================================================= Date: Wed, 19 Oct 88 08:53:27 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: peripherals again Wow. Looks like there's a lot of weird stuff out there I've never heard of. But ain't it always that way? A virus in Postscript seems like a viable idea. But a point I meant to make and forgot was this: what's the point? Most of the time, stuff gets downloaded to the printer. Now a virus can infect it all it likes, but it's gonna get wiped as soon as the printer is turned off. (There's no reason for page memory to be non-volatile. In fact, quite the con- trary.) I mean, what's it going to infect? There's just the one program; all a virus could really do is hang your printer until you power-cycle it. And there are plenty of other ways to hang a printer. As far as printers are concerned, what's the practical difference between writing a virus and writing a non-terminating Postscript program? It's not clear to me what the virus-writer would achieve by writing a virus for a printer. However, a Postscript virus would have a larger breeding ground; it could infect other Postscript files when a host previewer gets run on it. And in NeWS, there are lots more possibil- ities, since NeWS is Postscript driven (+X11). Another thing that is unclear to me is how a virus could infect peripheral firmware. (Unless it was there when the firmware was produced.) - Jeff Ogata ========================================================================= Date: Wed, 19 Oct 88 08:38:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kent Cearley - UMS - 492-5262 Subject: RE: Hardware Virus There are certain symbiotic relationships between device drivers, cpus, and peripherals that might make an infection more viable than it first appears. For example, some classes of device drivers allow a terminal to execute any program via an escape sequence followed by a command code and the programs name and parameters. This was a particular philosophy for dynamically reconfiguring device characteristics. Combine this with say, a programmable printer, which when prompted with a sequence from the host to identify printer type, sends the string with an escape sequence and a destructive procedure call, or a modem which has this same string defined as a setup sequence. While it is true that many hardware devices use RAM memory only for data, there are contexts ala von nuemann where data can become instruction. Perhaps the caveat is something Korzybski used to say, "You can never say everything there is to say about anything" *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | Q: "How many surrealists does it | | Campus Box 50 | take to change a light bulb?" | | Boulder, CO 80309 | | | | A: "Fish." | *-----------------------------------------------------------------------* ========================================================================= Date: Wed, 19 Oct 88 17:57:00 URZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: BG0@DHDURZ2 Subject: PostScript and Viruses/Trojans Hi folks, as mentioned correctly by some people there seems to be no way to write a virus that is able to spread back to the computer and its storage devices. But there is another problem with PostScript printers: You can damage a PostScript printer by programming it in the wrong way so that you have to send it in to the producer. So it is possible to write a virus that can find out if a PostScript printer is installed and than damages the printer by programm (I don't want to elaborate on this, but it is possible). As far as I know *no* anti-virus programm prevents this... All the best, Bernd. ========================================================================= Date: Wed, 19 Oct 88 11:26:00 MST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Kielsky Subject: Great ideas! I am glad that I subscribed to this list! The number of great new ideas for writing viruses is inspiring! If I were gifted enough to be able to create a virus, this would certainly be the place to get new ideas. Michael Kielsky P.S. There were some :-)s implied. Some. ========================================================================= Date: Wed, 19 Oct 88 14:53:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Paul Coen Subject: RE: Great ideas! >I am glad that I subscribed to this list! The number of great new ideas for >writing viruses is inspiring! If I were gifted enough to be able to create >a virus, this would certainly be the place to get new ideas. > >Michael Kielsky > >P.S. There were some :-)s implied. Some. I certainly hope that the attitude of "don't discuss it and nobody will do it" is not common in this discussion. Has avoiding sex ed in this country decreased the number of adolescents who engage in sex? No. All it's done is given us a higher pregnancy rate than our European friends such as Sweeden, France, etc. If it didn't work in this case, what makes anyone think it will work as far as computer viruses are concerned? Give people the best information possible so they can combat viruses. If someone is talented and malicious, they don't need the subscribers of this list for their ideas. They'd be perfectly capable of writing a virus on their own. Ignorance is more dangerous than knowledge. +----------------------------------------------------------------------------+\ | Paul R. Coen | \ | | | | Bitnet: PCOEN@DRUNIVAC U.S. Snail: Drew University CM Box 392, | | | PCOEN@DREW Madison, NJ 07940 | | | | | | Just because you can't see it doesn't mean it isn't there! | | +----------------------------------------------------------------------------+ | \ \| \_____________________________________________________________________________\ ========================================================================= Date: Wed, 19 Oct 88 13:56:14 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Are so-called protected systems protected against viruses? In an article Dan Hankins writes: > >In article Len Levine writes: >> >> [..] >> >>In an unprotected system, no such security is possible. > > Wrong. > > On an unprotected system (i.e. single-user micro) one does this: > >[..] > > This is actually *more* secure than the multiuser scenario you >described. In your scenario a virus could be sensitive to restricted >environments and not do anything nasty until run in a 'target-rich' >environment. In mine it is running on what appears to be an ordinary >working system. > > My scheme is beatable also, in several ways. But the user privs and >suchlike do *not* give the protected multi-user system more security than >the unprotected single-user variety. > How embarassing. Dan Hankins makes a very good point here. There is no difference in the level of protection between the two systems for anyone who has systemic authority in a secure environment. For the low level user, however, there is less to worry about on the protected system with respect to his own errors, more with respect to errors of the administrator. Let me lick my wounds and work on this some more. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Wed, 19 Oct 88 15:24:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: Re: I am proud to be a hacker! BTW, another alternative to look at is Gnu C, which we have various copies of around. It is based on a lexer generator and Bison, a YACC rip-off. -- Jerry ========================================================================= Date: Wed, 19 Oct 88 18:20:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: peripherals again In-Reply-To: Message received on Wed, 19 Oct 88 10:35:27 EDT Jefferson Ogata writes.... >A virus in Postscript seems like a viable idea. But a point I meant to >make and forgot was this: what's the point? Most of the time, stuff >gets downloaded to the printer. Now a virus can infect it all it likes, >but it's gonna get wiped as soon as the printer is turned off. (There's >no reason for page memory to be non-volatile. In fact, quite the con- >trary.) I mean, what's it going to infect? There's just the one >program; all a virus could really do is hang your printer until you >power-cycle it. And there are plenty of other ways to hang a printer. >As far as printers are concerned, what's the practical difference I can see that you are from the land of Unix, where hosts and printers have a master/slave relationship. But on Apple Talk each node has a peer to peer relationship. Thus, a LaserWriter, with appropriate virus code, could act like a fileserver with infected programs. Erik Sherk Workstation Programmer Computer Science Center University of Maryland ========================================================================= Date: Wed, 19 Oct 88 18:38:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: Re: hardware virus >ala von neumann, where data can become instruction... In some sense, data is ALWAYS instruction. That is, 'data' defines the control flow of some virtual machine defined and modeled by the 'code'. Simple example: grep; data is a program saying to print out lines that conform to certain restrictions. This semantic model of programs as machines holds for any program, though it gets obscure in many cases. However, the main question is: does the language of the 'data' provide adequate semantics to alter other 'programs'? In some circumstances, the answer is yes. Grep output, when piped through another grep, becomes another program with different output. Compiler input becomes a program that can run directly on the target machine. Both are forms of 'data' that can actuate control of the machine. Now given the idea of interactive, very smart peripherals, one can analyze whether the controls initiated by the peripherals are adequate for modifying the GENERAL behavior of some unrelated program. This essentially qualifies as virus infection, particularly if the modified behavior includes modification of further programs' behavior. If, however, the semantics of the peripheral control only allow damage or reprogramming of other peripherals, especially in a one-way fashion, it is more like Trojan damage. And the latter may require host program modification in order for it to occur. But this note is getting kind of dull. - Jeff Ogata ========================================================================= Date: Thu, 20 Oct 88 01:29:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: Apple Talk Attack > I can see that you are from the land of Unix, where hosts and printers > have a master/slave relationship. But on Apple Talk each node has a > peer to peer relationship. Thus, a LaserWriter, with appropriate virus > code, could act like a fileserver with infected programs. > Erik Sherk I'm fuzzy on how that would work. Are you suggesting the LaserWriter will reach out and infect other networked computers without being asked? If so, what protocols will enable it to do this? If not, why would any computer ask a LaserWriter for executable code? - Jeff Ogata ========================================================================= Date: Thu, 20 Oct 88 09:03:39 edt Reply-To: Virus Discussion List Sender: Virus Discussion List From: GATEH@CONNCOLL Subject: hardware vs. viruses I seem to recall reading somewhere of a virus which infected a disk driver. Apparently it increased the operating speed of the disk, such that the drive wore out prematurely. Anybody else heard of such things? I'm very curious to know what type of system was involved. I assume it was a mini or larger, but I can't help but wonder if similar things are possible on the micro level. I have this nightmare vision of such a thing going undetected for a year or two, then micro hard disks crashing left and right all over campus, and of course no one has backed up anything properly... Gregg TeHennepe | BITNET: gateh@conncoll Minicomputer Specialist | Phone: (203) 447-7681 Academic Computing and User Services Connecticut College New London, CT ========================================================================= Date: Thu, 20 Oct 88 11:09:05 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kevin Trojanowski Subject: RE: hardware vs. viruses >I seem to recall reading somewhere of a virus which infected a disk driver. >Apparently it increased the operating speed of the disk, such that the drive >wore out prematurely. Anybody else heard of such things? I'm very curious to >know what type of system was involved. I assume it was a mini or larger, but >I can't help but wonder if similar things are possible on the micro level. I >have this nightmare vision of such a thing going undetected for a year >or two, then micro hard disks crashing left and right all over campus, >and of course no one has backed up anything properly... >Gregg TeHennepe The only drives I'm aware of which have the ability to change speed without adjusting a potentiometer are Apple's 3.5" drives. Even those drives (for the Apple ][ series), while programmable I don't believe can adjust their own speed via software. As for hard drives with the capability to have their speed adjusted, I know of none. I have no idea about the possibilities of this concerning minis or mainframes. By the same token, tho, wouldn't the same thing be accomplished by having the drive do a series of random seeks? Depending upon the drive, or the user, this is something which might not be immediately noticed and would cause undue wear on the drive. -Kevin Trojanowski troj@umaxc.weeg.uiowa.edu ========================================================================= Date: Thu, 20 Oct 88 11:24:15 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark S. Zinzow" Subject: Brain Virus at UIUC The Pakistani Brain Virus has been discovered by the PC Consultants on a disk a student had been using in the Forein Language Microcomputer Lab. This is the first known occurance of an IBM PC based virus infection on this campus. I suggest avoiding public use PC's for a few days until effective counter measures can be implemented. Immediate backup of personal hard disks, write protect all original disks, and be very careful about exchanging files until we can provide details on checking for the presence of the Brain Virus. The Microcomputer Resource Center has a two disk set of anti-virus programs and information which may be helpful. These may be copied safely on a two drive PC there when booted from a write protected original DOS disk. -------Electronic Mail----------------------------U.S. Mail-------------------- ARPA: markz@vmd.cso.uiuc.edu Mark S. Zinzow, Research Programmer BITNET: MARKZ@UIUCVMD.BITNET University of Illinois at Urbana-Champaign CSNET: markz%uiucvmd@uiuc.csnet Computing Services Office "Oh drat these computers, they are 150 Digital Computer Laboratory so naughty and complex I could 1304 West Springfield Ave. just pinch them!" Marvin Martian Urbana, IL 61801-2987 USENET/uucp: {ihnp4,convex,pur-ee,cmcl2,seismo}!uiucdcs!uiucuxc!uiucuxe!zinzow (Phone: (217) 244-1289 Office: CSOB 110) ihnp4!pyrchi/ \markz%uiucvmd ========================================================================= Date: Thu, 20 Oct 88 17:46:07 MEZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Dr. Gregor Reich" Subject: Re: hardware vs. viruses In-Reply-To: Message of Thu, 20 Oct 88 09:03:39 edt from Dear fellows, please be reasonable. There is no way a softwareproduct can influence the rotational speed of a hard disk neither on a PC nor on a greater machine. There is a possibility to change the speed of the 1.2MB Floppy on an AT, but it can only set one of two speeds and not some completely different value. All we have to deal with is the software side, and this is bad enough. G. Reich Institut for Analytical Chemistry University of Vienna, Austria ========================================================================= Date: Thu, 20 Oct 88 13:58:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: hardware vs. viruses In-Reply-To: Your message of Thu, 20 Oct 88 17:46:07 MEZ > There is no way a softwareproduct can influence > the rotational speed of a hard disk neither on a PC nor on a greater machine. It's possible that the person who brought this subject up wasn't referring to rotational speed. I remember in my CP/M days that the operating system could be configured for a particular track-to-track seek time since some drives were slower than others. The default, if memory serves me correctly, was 30 ms and could be bumped down to 6 ms for faster drives - that made one hell of a difference in the drive speed. As I recall, these numbers were dependent on the floppy disk and the disk controller's firmware. That is, 29 ms is not a valid time, but 30 is. Nonetheless, setting a drive up for 6 ms when it couldn't quite keep up with that speed could conceivably make the drive very unhappy. I don't think that this would cause hardware damage, though, only seek errors on the drive. Ken Kenneth R. van Wyk Calvin: Says here that there are four User Services Senior Consultant pecks in a bushel. What's a peck? Lehigh University Computing Center Hobbes: A quick smooch. Internet: Calvin: You know, I just don't understand BITNET: this math stuff! ========================================================================= Date: Thu, 20 Oct 88 12:58:58 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: hardware vs. viruses In-Reply-To: Message from "Dr. Gregor Reich" of Oct 20, 88 at 5:46 pm >please be reasonable. There is no way a softwareproduct can influence >the rotational speed of a hard disk neither on a PC nor on a greater machine. >There is a possibility to change the speed of the 1.2MB Floppy on an AT, but >it can only set one of two speeds and not some completely different value. >All we have to deal with is the software side, and this is bad enough. > G. Reich Let us not become too cool here. It is possible for example for software to damage some (older fashioned) crt devices by changing sweep rates, it is not an unreasonable question to ask about other tuneable phenomena. I agree that I am unaware of any disk drive that has its speed tunable, but I do not believe that this is not either possible or beyond comprehension. As hardware becomes more sophisticated, the capabilities may well become available. Let's scoff more slowly. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 20 Oct 88 14:15:19 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Mac viruses.. Has anyone heard of a Mac virus that puts up a dialog box with "Sax Flash"? There is a rummor of one here at U of Maryland. Erik Sherk Workstation Programer Computer Science Center University of Maryland ========================================================================= Date: Thu, 20 Oct 88 11:58:00 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Sakabu Subject: Re: Re: hardware vs. viruses > >please be reasonable. There is no way a softwareproduct can influence > >the rotational speed of a hard disk neither on a PC nor on a greater machine. > >There is a possibility to change the speed of the 1.2MB Floppy on an AT, but > >it can only set one of two speeds and not some completely different value. > >All we have to deal with is the software side, and this is bad enough. > > G. Reich I do recall in the old days (~8 years or so ago) we had a DEC 10 that ran tops 10 and you could crash disk heads by forcing the heads to seek from the inside to the outside tracks at a certain frequency. If there was a minimal amount of other seeks this would crash the disk. --Ed ========================================================================= Date: Thu, 20 Oct 88 12:27:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Apple Talk Attack In-Reply-To: Message received on Thu, 20 Oct 88 01:39:10 EDT Jefferson Ogata writes... >I'm fuzzy on how that would work. Are you suggesting the LaserWriter >will reach out and infect other networked computers without being >asked? If so, what protocols will enable it to do this? If not, >why would any computer ask a LaserWriter for executable code? No, I am not suggesting that. What I meant was that the LaserWriter would mask out the real file-server and that Macs would execute code from the LaserWriter that was acting like their "safe" file-server. Now that I think about it, this would be a really neat use of the new NTX with a hard disk ( not to distribute virus code but just act like a file-server! :-). Erik Sherk Workstation Programer Computer Science Center University of Maryland ========================================================================= Date: Thu, 20 Oct 88 16:16:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Brain virus hits Hong Kong (reprinted from RISKS forum) This was in a recent RISKS forum: Date: Tue, 18 Oct 88 13:34:27 est From: Dave Horsfall Subject: "Brain" virus shows up in Hong Kong On the off-chance that you haven't had enough of virus reports, here's another one from Computing Australia, 17th October, 1988: ``HK consultants hit by overseas virus A leading firm of financial consultants has become the first main- stream business in Hong Kong to be affected by a computer virus. The Business International consultancy reported last week the "Brain" virus -- well-known elsewhere in the world, but never before seen in Hong Kong -- had appeared on some disks. ... BI was playing down the significance of the find last week, with a company spokeswoman saying the virus had not reappeared and that no data had been lost.'' The article goes on further to discuss the origin of the Brain virus, and makes the amazing observation "[it] does not destroy data, but scrambles it beyond recognition". I dunno, I would certainly regard data "scrambled beyond recognition" as being "destroyed". Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave Kenneth R. van Wyk Calvin: Here, try this new cereal, User Services Senior Consultant Chocolate Frosted Sugar Bombs. Lehigh University Computing Center Hobbes: Gack! Ptui! :-( Internet: Calvin: Yeah, they're a bit bland until BITNET: you scoop some sugar on them. ========================================================================= Date: Thu, 20 Oct 88 16:37:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Robert Stratton Subject: Re: hardware vs. viruses >I seem to recall reading somewhere of a virus which infected a disk driver. >Apparently it increased the operating speed of the disk, such that the drive >wore out prematurely. Anybody else heard of such things? I'm very curious to >know what type of system was involved. I assume it was a mini or larger, but >I can't help but wonder if similar things are possible on the micro level. I >have this nightmare vision of such a thing going undetected for a year >or two, then micro hard disks crashing left and right all over campus, >and of course no one has backed up anything properly... >Bob Stratton I do recall an instance of a Trojan horse on the old TRS-80 Model I, which would do a series of random, long distance seeks on floppy drives. The drives in question, if left unattended, as many BBS machines were, would eventually overheat and in several cases, began to smolder. Disk drive technology has improved considerably since then, but so has the instance of unattended operation of PC's. Bob Stratton ========================================================================= Date: Thu, 20 Oct 88 14:34:00 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "JOHN D. WATKINS" Subject: kill that drive! On the subject of damaging disk drives, a couple months ago I read (I think in Computers & Society Digest) about a prank you could play with drives; you figure out a good resonant frequency for the drive, then make the head(s) seek at just that rate. The drive starts vibrating (relatively) violently, enough so that it creeps across the floor, possibly unplugging itself and certainly puzzling the operators in the morning! I believe that this referred to mainframe drives, but it has interesting possibilities for micros as well; if you could make a drive vibrate for long enough you might be able to throw it out of alignment or something evil like that... Kevin ========================================================================= Date: Thu, 20 Oct 88 17:16:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GORDON_A%CUBLDR@VAXF.COLORADO.EDU Subject: RE: kill that drive! Regarding the software destruction of drives...some of the PC disk diagnostics can approach what seems to be a self destructive mode. When running the seek test, the drive does indeed start to vibrate and becomes rather loud. I suppose that a virus inplanted in an unattended machine could do the same. I have never had enough courage to run this test more than once every so often. I don't know what would happen if the drive were continuously run this way. I can't imagine it would be very good for it. Allen Gordon ========================================================================= Date: Thu, 20 Oct 88 20:23:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Dimitri Vulis Subject: Software damaging floppy drives on a PC The FDC on IBM PC and clones has a parameter called 'head unload time'. BIOS sets it to a conservatively high value; MS DOS 2.0 and later resets it to a lower value. Soon after DOS 2.0 came out, some people figured that they can make their drives operate faster by setting it lower yet; and it did, but the affected drives went out of alignment withina few month. I don't see why this was referred to as 'virus', though. (Although, this certainly is a technique that a virus or a Trojan horse could use to damage the machine). ========================================================================= Date: Thu, 20 Oct 88 21:34:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Gordon Meyer Subject: More on hardware damage Just to add a little fuel to the virus/hardware damage thread, I'd like to point out that it is supposedly possible to fry a monitor, on the Atari ST system, by forcing the computer into the incorrect mode. In other words, if you have a monochrome monitor hooked up the hardware will detect this and adjust the sync rate of the computer to match. But it is supposedly possible to "trick" the computer, via software, into thinking that a color monitor is being used. Evidently the differing sync rates of the two monitors will cause permanent damage if this occurs. -=->G<-=- I'm not a software developer, and I'm no hardware wizard. I'm sure the concept is correct but don't flame me for saying zig would I should have said zag. Polite corrections are welcome. I imagine the concept could apply to other systems as well. ========================================================================= Date: Thu, 20 Oct 88 23:11:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Paul Coen Subject: RE: More on hardware damage If I'm not mistaken, on the old IBM monochrome monitors one could (and someone did) write code (I can't recall if it was a virus, trojan horse, or what), that altered the scan rate on the screen, and if this was allowed to continue, it could heat the monitor up to the point where it could (and on occasion did) burst into flames. I wish I could recall this a little better than I do, I can't even remember the specific monitor. Anyone else out there read/hear/ have this happen to you? +----------------------------------------------------------------------------+\ | Paul R. Coen | \ | | | | Bitnet: PCOEN@DRUNIVAC U.S. Snail: Drew University CM Box 392, | | | PCOEN@DREW Madison, NJ 07940 | | | | | | Just because you can't see it doesn't mean it isn't there! | | +----------------------------------------------------------------------------+ | \ \| \_____________________________________________________________________________\ ========================================================================= Date: Fri, 21 Oct 88 08:40:40 MEZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Dr. Gregor Reich" Subject: Re: More on hardware damage In-Reply-To: Message of Thu, 20 Oct 88 21:34:00 CDT from I think I have to clear up a few things about my remark on "no way to influence the hardware". What I feel the danger of a virus is, that something goes on which can not be stopped until it's to late. This can happen (on the hardware side) by changing the seek time of a drive to a value which influences its performance over time. The other possibilities, i.e. bringing the heads in a resonance status or frying the monitor (you can do the same on a Hercules card), would not be unnoticed by the people in front of the screen. If you have a BBS or something else running unobserved, thats of course another story. G. Reich Institute for Analytical Chemistry University of Vienna, Austria ========================================================================= Date: Fri, 21 Oct 88 10:08:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Shatner and Nimoy in '92! Subject: Software frying Commodores Remember the Commodore Pet? It was made back around 1977. Referencing a certain memory location made the 6502 run at 2 Mhz (I think) instead of 1 Mhz. The only drawback was that 1. the machine was unreliable at that speed, and 2. on certain models of the Pet, doing so could fry certain chips. ========================================================================= Date: Fri, 21 Oct 88 12:24:08 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark F. Haven" Subject: PC disk diagnostics- destructive? >Date: Thu, 20 Oct 88 17:16:00 MDT >Sender: Virus Discussion List >From: GORDON_A%CUBLDR@VAXF.COLORADO.EDU >Subject: RE: kill that drive! > >Regarding the software destruction of drives...some of the PC disk diagnostics >can approach what seems to be a self destructive mode. When running the seek >test, the drive does indeed start to vibrate and becomes rather loud. I >suppose that a virus inplanted in an unattended machine could do the same. I >have never had enough courage to run this test more than once every so often. I >don't know what would happen if the drive were continuously run this way. I >can't imagine it would be very good for it. >Allen Gordon > When I worked for a company which sold PC's we burned them in before delivery by stressing them as much as possible. One of the things we did to test drives was to run the diagnostics continuously overnight. It turned up some defective machines (which we returned) but I don't remember the ones we sent on to our customers coming back with problems in the drives at a higher rate than the machines I fixed which we had not burned in. Based on this I conclude that the PC diagnostic seek test is non-destructive (despite the noise). If anyone has any actual experience to the contrary PLEASE post it. ========================================================================= Date: Fri, 21 Oct 88 14:31:43 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Aldus gets hit again I've just received a word-of-mouth announcement that Aldus Corporation was hit by another virus. The original announcement, I'm told, came from the Associated Press board on Compuserve. The details that I have are sketchy, but they say that the virus was called nVir (?). If anyone has any more information on this, *please* send it to the list! Also, the same announcement on Compuserve said that Carnegie Mellon University (in Pittsburgh PA) was also hit by a virus this last week. No more details on that one, though. Does anyone have any more information on this? The Compuserve message was dated today, 10/21/88. Ken Kenneth R. van Wyk Calvin: Says here that there are four User Services Senior Consultant pecks in a bushel. What's a peck? Lehigh University Computing Center Hobbes: A quick smooch. Internet: Calvin: You know, I just don't understand BITNET: this math stuff! ========================================================================= Date: Fri, 21 Oct 88 13:46:17 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kevin Trojanowski Subject: Software effects on hardware A few years back, I remember hearing some acquaintances talking about a method of "punishing" someone they didn't like -- they would give him copies of pirated software which had the boot sector (or some such) changed so that when he would boot the disk, the drive would be told to seek track 99. On the old Commodore-64 drives, this caused the drive head to fall off the glides, damage itself on the stops, or some equiavalent thereof -- in any case, it ruined the drive. -Kevin Trojanowski troj@umaxc.weeg.uiowa.edu ========================================================================= Date: Fri, 21 Oct 88 15:22:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Aldus gets hit again In-Reply-To: Message of Fri, 21 Oct 88 14:31:43 EDT from >... they say that the virus was called nVir (?). If anyone has any more >information on this, *please* send it to the list! Boy, I don't understand that at all. nVIR is a well-known Mac virus that can be fought quite successfully with the "Vaccine" CDEV. If this is the known strain of nVIR, Aldus isn't being very careful about viruses. For those who know about nVIR, you may delete the rest of this message. nVIR is a virus supposedly based on some assembler source which was posted in CompuServe last year sometime. It follows standard spread patterns (application -> system, system -> applications), but has a few bugs. It doesn't check for a "killed" version of itself and does not completely infect applications which have protected code resources. Its "function" is to (on a 1-in-16 chance) say "Don't panic" if MacInTalk is installed, and to beep if it isn't. The LISTSERV here at SCFVM has both a program to remove it from your applications and a better explanation (in the virus documentation stack). You must use ResEdit to get it out of your System files. Again, since source of sorts was available for this one, it may have been modified to be more sophisticated and more agressive; it is also possible that it has been made Vaccine-proof. --- Joe M. X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X