VIRUS-L Digest Wednesday, 23 Nov 1988 Volume 1 : Issue 19 Today's Topics: next it will be the Nazi terror... Re: Morris and punishment. follow up on "hacker" paper anncmnt Going easy on Morris SCORES Virus (Mac) Sighted At Washington State U. Jurisdiction & the Morris case Morris and 'security' Re: Info on CHRISTMA EXEC (IBM VM/CMS) Computer Security Conferences Hardware Vandals Re: The $20 million figure for lost time... Virus and ETHICS articles --------------------------------------------------------------------------- Date: Tue, 22 Nov 88 13:01 CST From: Gordon Meyer Subject: next it will be the Nazi terror... Jeff Ogata recently compared the Internet worm damage to a drunk driver killing sombody, and the Union Carbide "accident" that killed and maimed many. Jeff, I don't want to single just you out...this has been a problem with many postings. Can we PLEASE stop talking like this virus did actual physical harm to somebody?! Sure...it may have eaten up hours of system time, used up overtime money for system programmers, and generally caused some headaches. But nobody was killed or maimed! Only by sticking to a reasonable analogy can we counter the hyperparanoia that things like this generate. Thanks for your attention - -=->G<-=- Gordon R. Meyer, Dept of Sociology, Northern Illinois University. GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365 Bitnet: tee-kay-zero-gee-are-em-one at enn-eye-you Disclaimer: Grad students don't need disclaimers! I'll have an opinion when I get my degree. - --- BE YE NOT LOST AMONG PRECEPTS OF ORDER... (book of Uterus) --- ------------------------------ Date: Tue, 22 Nov 88 19:08 EST From: Ain't no livin' in a Perfect World. Subject: Re: Morris and punishment. Whether or not Mr Morris' virus caused harm or was intended to isn't the issue here. In other areas we can see that intention to commit a crime or break a law doesn't play a part in penalizing someone or another organization for a crime committed. For example, this October, the NCAA put the University of Cincinnati basketball and football programs on 3 yrs. probation for recruiting violations. Their football team has had 6 consecutive loosing seasons and thier basketball team's last appearance in a post-season tournament was in 1985 in the NIT. The NCAA even said they didn't intend to commit these violations, and clearly no harm was caused because they've got such bad teams anyway. But what the NCAA did see was the need to protect the other schools that participate from unfair recruiting tactics commited by teams trying to get an unfair advantage. This is similar to what has happened with this virus. Even though it was not intended to cause harm, and probably caused very little, it was annoying for those involved with it. Everyone else who tries to use a computer for honest means should be protected from the select few who want to annoy people with their talents. Tom Kummer ------------------------------ Date: Tue, 22 Nov 88 22:50 CST From: Gordon Meyer Subject: follow up on "hacker" paper anncmnt As of 11/22/88 10:30pm CST I have responded to all requests for my paper ("Hackers, Phreakers, and Pirates: The Semantics of the Computer Underground"). Those of you who asked for one should be getting it shortly. Thanks for your interest, and I look forward to hearing any comments you may have. If anybody still wants a copy, I'll continue to send it. But I'm going away for Thanksgiving so my response time will be delayed. Apologies to those that had trouble getting through to me. I've learned more about the various networks and mailing methods than I ever cared to know! :) So far none that I've sent have bounced back (with one exception...see below) but let me know if you don't get your copy over the next couple of days (allowing for network delays and such). Thanks again for your interest, and happy thanksgiving to our US readers. - -=->G<-=- * Keven Lepard (sasquatch@albion.bitnet): our mailer doesn't know anything about "albion". Can you supply an alternate address? Gordon R. Meyer, Dept of Sociology, Northern Illinois University. GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365 Bitnet: tee-kay-zero-gee-are-em-one at enn-eye-you Disclaimer: Grad students don't need disclaimers! I'll have an opinion when I get my degree. - --- BE YE NOT LOST AMONG PRECEPTS OF ORDER... (book of Uterus) --- ------------------------------ Date: Tue, 22 Nov 88 21:57 EST From: "Mark H. Anbinder" Subject: Going easy on Morris Morris may not have ruined anyone's life, but he sure caused an awful lot of trouble for one little grad student. What he did was against the law, not to mention against all sane ethical values, and he should be punished appropriately, as the law provides. The comment that we left the holes in our systems and therefore should blame ourselves for his intrusion is silly. If I leave my front door unlocked and I'm robbed, sure it was dumb of me, but someone still broke the law. Only if I put a sign at the roadside saying FREE TELEVISION, STEREO AND COMPUTER... JUST WALK IN! ...could the robbery be considered anything but a robbery. Morris has waltzed uninvited (or at least his program alter ego has) into our computer systems, and even though he didn't maliciously destroy or interrupt anything, it caused plenty of problems. The man should pay for what he has done. Mark H. Anbinder Department of Media Services Cornell University THCY@CRNLVAX5 THCY@VAX5.CIT.CORNELL.EDU ------------------------------ Date: Tue, 22 Nov 88 15:26:35 PLT From: Joshua Yeidel Subject: SCORES Virus (Mac) Sighted At Washington State U. The infamous SCORES virus has been sighted on Macintosh computers at Washington State University. It was first sighted on a Macintosh in our Computing Informtion Center, but it has since been seen on staff computers and on disks in our Microcomputer Lab. We are taking the obvious steps: distributing Interferon, Vaccine, Virus Detective, and Virus RX to users on locked startup disks; and writing and distributing a short document on what a virus is, how it spreads, and how to detect, protect from and correct viral infections. We are also instituting a procedure to prevent our MicroLab from being a source of infection. We call it "disk washing". When the diskettes we hand out to users are returned, they go in a "dirty disks" box. Before they can be handed out again, we copy onto them the appropriate software from locked backup disks that never circulate. It is exactly analogous to washing dishes in a restaurant. Unfortunately, it's also quite a bit of extra work -- an increment we certainly didn't need. We also signed up for VIRUS-L -- whence this note. ------------------------------ Date: 23 November 88, 11:33:06 +0100 (MEZ) From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1 Subject: Jurisdiction & the Morris case Code: The Byte '+' (sent as '48'x) is meant as a paragraph sign. Hi list, the recent contributions and flames seem to neclect an important legal distinction: criminal vs. civil law. At least in our country, this con- stitutes quite a difference, and that'll probably be similar in USA. Please read the following with the proviso, that I'm arguing due to my understanding of German law, and that in USA things might be slightly different. And forgive me, if I don't chose the correct legal terms. Criminal law: For writing or spreading a worm (as Morris did), you can only be punished, if there's a law against such activity, such as the German +303a, or that US Title mentioned recently. It depends on the exact wording or context of the pertinent law, whether the act is prosecuted ex officio, or only due to petition. Many articles in criminal law (at least in Germany) draw a distinction on whether the act was committed deliberately (more severe punishment), negligently (less severe punishment), or through no fault (no punishment, at all). In court, the attorney has to offer prove of the facts, and of the responsibilty. Civil law: If you do damage to property of other persons or institituions, you are liable for it. The affected may (at his/her discretion) sue the perpetrator for damages -- regardless wether it was done deliberately or negligently; in German law there are even cases, when you can sue a person/institution for damage that was done through no fault: this applies e.g. to Railway Companies for "inevitable" accidents. My opinion: As we got no answer as to the exact wording of that US Title, I cannot guess, whether Morris can be punished or not. Personally, I agree with those contributors to VIRUS-L pleading against severe punishment, as there was probably no purpose. If, however, everybody will sue Morris for the manpower devoted to down- tracking and removing his worm, and if he will be sentenced to compensate for those 20 Megabucks we've read of (not to forget lawyer's fees and legal expenses for some 1000 civil law suits), his life will pretty well be spoiled -- probably more than by a criminal punishment. He's in need of a very, very good lawyer to obviate this threat. Again, the petioners will have to prove Morris' liabilty and the amount of the damage caused. Since Morris was not the only person liable for the success of the worm (the programmers and system administrators, who left the back-door open, are nearly equally liable), and since only the inevitable part of the damage must be compensated for (e.g. no man-power to dis-assemble the worm), Morris probably will not have to pay the full 20 M$, but even half or a quarter of this amount will be more than enough to knock him out. This will probably happen, regardless of our opinions. Children, let this be a warning to you, and do not play with the fire! Otto ------------------------------ Date: Tue, 22 Nov 88 20:32:16 EST From: Jefferson Ogata (me!) Subject: Morris and 'security' I've never heard anyone say that Unix systems are secure. Nobody was offended in the least that a program could infiltrate those systems. Anyone who might have thought his Unix system was secure would cer- tainly have plugged the sendmail and fingerd holes already. The only folks who got stomped by the worm were those who didn't care enough about security to take protective measures. So the thesis that host- ility towards Morris is the result of wounded pride is ridiculous. In fact, I haven't detected any hostility towards Morris period. I think Morris is generally regarded with a certain pity. The reason people are clamoring for prosecution is manifold. Some would like to use Morris to set an example towards other evil hackers. This is reasonable, because Morris has achieved a high publicity level, and because he did break the law. Another reason for prosecution is the need to maintain as consistent a legal system as possible. This is the reason why he cannot be sentenced to public service to make him once again 'useful' to society. Our legal system is punishment oriented; its purpose is not rehabilitation nor is it reentry into society. It is unreasonable to treat Morris differently from other criminals merely because of his reputed intentions. This is an issue of the ethics of our legal system; it has nothing to do with Morris' case in particular. It is true that there was no security for Morris to break. This is irrelevent. If you don't lock the front door of your house, this does not constitute permission for anyone to enter. And if someone entered every unlocked house in a major city, they would hopefully be prosecuted, regardless of whether they stole anything. In fact, Morris' program did 'steal' something. By reporting some statistics on the infection rate as it spread, it was revealing the level of security-mindedness of hundreds of systems. This consti- tutes a blatant invasion of privacy. Consider if the person who enters every unlocked house subsequently publishes a list of those houses he was able to invade, thereby tipping off everyone as to who the prime targets are. This is about to happen on an even larger scale, as surveys of the infected sites are completed. - - Jeff Ogata ------------------------------ Date: 23 November 1988, 14:09:48 GMT From: Ahmet Koltuksuz (51)275858 BILSER3 at TREARN Subject: Re: Info on CHRISTMA EXEC (IBM VM/CMS) Hello Everybody; I have recently requested some info on CHRISTMA EXEC on this mail list as most of you guys will surely remember.Well wonders of wonders...lots of very kind people responded in a highly informative way and I`m so much proud of them. I would like to thank`em again....so let me put their names and E_Mail addresses as to let everybody know these cooperative people. Please all of you guys who are listed below accept my sincere regards and thanks. ***** James FORD : ***** ***** Gabriel BASCO : ***** ***** Rudi Van HOUTEN : ***** ***** Mark ANBINDER : ***** ***** Dimitri VULIS : ***** ***** Sean OWENS : ***** ***** Bob PARKS : ***** ***** Otto STOLZ : ***** ***** Christian MUELLER : ***** Ahmet KOLTUKSUZ : ------------------------------ Date: Wed, 23 Nov 88 09:51:59 EST From: roskos@ida.org (Eric Roskos) Subject: Computer Security Conferences > There are no proceedings, as such, that I am aware of. Recently there's been a lot of discussion and questions raised about the various computer security conferences, how to get their proceedings, etc. I've never heard of the CSI conference, but there are three major computer security conferences each year, which do publish proceedings: 1) The IEEE Symposium on Security and Privacy, held each year in Oakland, for which you can get the proceedings through the IEEE. If you're an IEEE member, they're listed in the catalogs of publications they send out once periodocally. 2) The DOD/NIST National Computer Security Conference, held each year in Baltimore. I'm not sure how you get a copy of these proceedings other than attending the conference. Almost everyone involved in computer security attends this one; this year, it overlapped the Virus workshop held near Lehigh, which is probably why a lot of computer security people didn't make it to the Lehigh workshop. 3) The AIAA Aerospace Computer Security [Applications] Conference, held each year in Orlando. I believe you can get copies of the proceedings from the American Institute of Aeronautics and Astronautics, 370 L'Enfant Promenade, SW, Washington, DC 20024-2518. This year's conference is being held in a few weeks (December 11-16). Some of the people who contribute to VIRUS-L will be presenting papers there, though not necessarily on viruses. :-) All of these conferences cover fairly advanced research in computer security (a lot of the people presenting papers have PhDs in Computer Science or related fields), so if you are just casually interested in viruses, etc., you may find them not particularly interesting. They are regular academic conferences, just like conferences in most fields of Computer Science, and are of a similar nature. Also, (1) above, which generally has the most "academic" topics, has a limited attendence. (2), as I mentioned, is attended by a very large number of people and has a very wide variety of topics discussed, and is probably the one to attend if you have to just pick one. They generally cost around $400 or so to attend (the AIAA conference this year was $465), although they may have student rates, I don't know. ------------------------------ Date: Wed, 23 Nov 88 10:21:17 EST From: Don Alvarez Subject: Hardware Vandals We've read a fair amount here lately about how one might physically damage hardware with a piece of malicious code. Unless I'm mistaken, there hasn't been much said on the subject of how to PREVENT damage to hardware by malicious code. I'm particularly interested in how chips with built- in test features might affect the situation. Adding internal test features basically means you give the chip an additional new mode, in which (if it's a working chip and you know how the innards are aranged) you the nasty programmer suddenly have an enormous amount of control over the outputs of the chip. If the testability features are serious enough, you might even be able to turn inputs into outputs, with all the obvious fun that would entail (a chip whould have that feature if it had too few "natural" outputs for the number of internal registers and such you might want to look at). People have flamed about "secure" operating systems from an anti-virus point of view. Lets extend this to hardware. In general terms, what can you do, and what do you need to know to try to configure an anti-vandal system? In a specific sense, you need to know how all of your chips work and what affects they can have if used in improper modes, but is there a methodology one could use to ensure a reasonably safe system in the general case? As I understand it, we're supposed to be the good guys. It's definitely important to know what the bad guys might do (and really neat, to... that disk-drive resonant frequency hack is cool!), but it's at least as important to think about what one can do to PREVENT bad things. Don Alvarez boomer@space.mit.edu Oh, yeah... here's my personal favorite hypothetical nasty... Recently fired programmer in an automated factory programs robotic arc welder to cut through LAN cable, bringing the entire factory to a halt and blowing every transciever in the building. (If you're going to go for the glory, you might as well go all the way... I bet you could run the damages well into the millions and cause a MONTH of down time for an entire factory this way) Have a nice day NOTE: Don't try this at home, kids, these folks are trained jello snorflers. Any resemblance between the words used here and any actual ideas is purely a coincidence. ------------------------------ Date: 23 Nov 88 From: J.D. Abolins Subject: Re: The $20 million figure for lost time... The first I heard of that figure was from a NBC-TV TODAY SHOW's interview with Jihn McAfee about 2 weeks ago. He did not explain how the figure was derived. ------------------------------ Date: 23 Nov 88 11:55:00 EDT From: "AMSP6::CHRISTEVT" Subject: Virus and ETHICS articles I N T E R O F F I C E M E M O R A N D U M Date: 23-Nov-1988 11:54 From: Victor ET Christensen CHRISTEVT Dept: ASD/SCNX 676-111 (B) Tel No: (513)255-/AV785-2064 Subject: Virus and "ethics" articles The 21 November 1988 issue of "Government Computer News" (GCN) has two articles that might be of interest to y'all: "BIG GUNS TAKE AIM AT VIRUS," by Neil Munro, starting on page one and continuing on page 100; subject matter should be pretty obvious. "WHY SOFTWARE DEFECTS SO OFTEN GO UNDISCOVERED," by William E Perry, on page 85; mentions some reasons why bugs/holes like those exploited by the current worm don't get fixed...sounds like a bit of ethics to me. So as not to violate any copyright laws, I have not included either article in part/full...if there's enough interest to have them posted here, I'll contact GCN and ask them for permission to do so; reply to my account, not the mailing list, if you'd like to see them here. THIS MESSAGE ALSO SENT TO THE TCP-IP AND ETHICS-L LISTS ET B ME VIC ! ------------------------------ End of VIRUS-L Digest *********************H Downloaded From P-80 International Information Systems 304-744-2253