VIRUS-L Digest             Wednesday, 9 Nov 1988         Volume 1 : Issue 1

Today's Topics:
digest format
It's done, and some info.
A couple of forwarded comments on VMS and Unix security
RE: Re: MILNET/ARPANET Virus
Today's NYT
Re: VIRUS on ARPA net
On viruses, viri and virii ...

---------------------------------------------------------------------------

From:         [email protected]
Subject:      digest format
To:           [email protected]
Keywords: edited

Ken,
    It sounds like a good idea to me to start getting the "digests".
I am tired of getting duplicates and ascii trash.  Hope this isn't too
much of a bother for you and you can continue to do it.  Thanks for
the effort.  It is appreciated.  You are saving a lot of people
precious time.


        Pat Reedy
        [email protected]


[Ed. Thanks for the input!  The effort involved is actually quite
minimal thanks to a set of GNU EMACS digestifying routines by David
Steiner.  It takes me about as much time to create a digest as it
would to read my own mail.]

------------------------------

Date: Wed, 9 Nov 1988 11:45:33 EST
From: Ken van Wyk <[email protected]>
To: virus-l
Subject: It's done, and some info.

As announced, VIRUS-L is now a digest format list.  To you, the
readers, nothing different has to be done.  To send mail to the list,
just send mail to [email protected] exactly as before.
Subscribing and un-subscribing is also identical to the way it was
before.

A couple of problems have been solved by the change.  The list is now
open to non-subscribers as well.  That is, you needn't be on the list
to send things to it.  This should eliminate the "You are not
authorized to send to VIRUS-L" messages that many of you have
experienced.

Digests will be numbered starting with this one, Volume 1, Issue 1.
The Issues will continue to increase until 1989 at which time Volume
2, Issue 1 will come out.  Backlogs are still kept in the same format
- weekly files stored by the LISTSERV.

Ken

------------------------------

Date: Wed, 9 Nov 1988 15:17:26 EST
From: Ken van Wyk <[email protected]>
To: [email protected]
Subject: A couple of forwarded comments on VMS and Unix security

Here's a couple of messages found floating around on the Usenet
regarding VMS vulnerability to a potential worm such as the recent
Internet worm, and a comment on Unix system security.  The latter
comment was made on the same newsgroup (comp.protocols.tcp-ip) as the
first after some security concerns were discussed regarding the ease
at which the Internet worm was able to propogate.

Ken


From: [email protected] (Andrew J Thomas)
Newsgroups: comp.os.vms,comp.protocols.tcp-ip
Subject: Viruses and VMS
Date: 9 Nov 88 05:21:39 GMT
Organization: Purdue University


 Most of you are probably aware of the worm ("virus") that spread
around the network last week.  The worm spread by three methods:
password guessing, a sendmail bug, and a fingerd bug.

 Any VMS systems running TCP/IP software may be vulnerable to
future viruses/worms.  There are two things to check for: the smtp
server, and the finger server.

 We are running the Wollongong TCP/IP software (no eunice).
The smtp server does not have the debug mode enabled, so it is not
subject to attack.  This can be checked by telneting to smtpd port
and typing 'debug'.  If it accepts the debug command, you have a
potentianl security hole.

 The second bug is in the finger server. The finger server can
read in an optional line of username(s).  The bug is that it doesnt
check to see if the line exceeds the buffer size.  If it does, it
overwrites memory.  You can check this by telneting to the fingerd
port and entering a line longer than 512 chars.  If you get no finger
response, or get an error message, you have a potential problem.
I am not sure how it could be exploited.

 The Wollongong fingerd program has this bug.  I was unable to get
the fixed BSD fingerd.c to work.  However, I did come up with a
solution that seems to work.  I copied [netdist.user]finger.exe
to [netdist.serv]fingerd.exe.  This change takes effect as soon
as the file is copied, no need to reboot.  I've done this on our
system and it works fine.

 Why does this work?  The Wollongong fingerd has a "feature"
that causes it to ignore usernames parameters (even though it can
overrun the buffer reading them) and will just give a list logged on
users, even if information about one user is requested.  Since the
finger program will not read input, it wont overrun the buffer.
Its default ouput is the same as fingerd, but without the bug.

 The usual disclaimers apply to this solution.

 I don't know about the CMU TCP/IP code.  Since it is written in
bliss, and not just a straight port of BSD to VMS, it may not have
any problems.  If anybody knows for sure, I would like to know, and
I am sure others would also.

                   Andy Thomas
                   [email protected]
                   [email protected]




From: [email protected] (Scott MacQuarrie)
Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards
Subject: Re: Crackers and Worms
Date: 8 Nov 88 22:40:09 GMT
Organization: AT&T Canada Inc., Toronto


There is a product available from AT&T's Federal Systems group called
MLS (Multi-Level Security) which provides B1-level security in a
System V Release 3.1 environment. I have seen the product on a 3B2,
it's availablity from other vendors would probably require work by
those vendors. (Yes Henry, we might even help them do that :-) ).

Scott MacQuarrie
AT&T Canada Inc.
uunet!attcan!scott

p.s. Opinions are my own.

------------------------------

Date: Wed, 9 Nov 88 15:53 EDT
From: Savoir faire is everywhere! <SSIRCAR@umaecs>
Subject: RE: Re: MILNET/ARPANET Virus

I have noticed how some people are applauding the intelligence of the
Cornell student who created the virus.  Just remember that his show of
"greatness" required many system administrators to work overtime to
fix the effects of the virus.  If I was the judge at the trial, I
would require the student to reimburse the universities the money
required to fix the computer systems.

                               -Santanu Sircar-

------------------------------

Date:    Wed, 09 Nov 88 09:51 EST
To:      Virus Discussion List                <Virus-L@LEHIIBM1>
From:    John B Harlan                        <JBH693@IRISHMVS>
Subject: Today's NYT


    For anyone who hasn't already seen it, this morning's
National Edition of the New York Times (Wednesday, Nov. 9)
carries an article on the "worm," entitled, "The computer
jam: how it came about," by John Markoff.  It runs on page 38.

                                                  John Harlan
                                       [email protected]

------------------------------

Date:     Wed, 9 Nov 88 08:31:37 PST
From:     [email protected] (Cliff Stoll)
Subject:  Re: VIRUS on ARPA net
To:       [email protected]

Thanks for your note about the virus survey.  I'm buried under
responses -- probably 1 or 200 hundred.  So it will be a week or two
before I collate them and bring some sense to it all.

Of couse I will make all the information public.  I hope I'll be able
to write a paper, perhaps into the communications of the ACM or some
other academic journal.  Strange -- a sort of epidemiology of a virus
infection.

Phooey:  I would rather do astronomy.


Best of cheers,
Clif Stoll
oops   cliff Stoll
oops again, Cliff Stoll

------------------------------

Date:        Wed,  09 Nov 88 14:17:24 +0200
From:        Y. Radai <RADAI1@HBUNOS>
To:          VIRUS-L@LEHIIBM1
Subject:     On viruses, viri and virii ...

 Ben Chi writes that it is an error to use "virii" as the plural of
"virus".  Right.  I suspect that the source of this error is that
someone, by analogy with the fact that the plural of "radius" is
"radii", decided that the plural of "virus" should be "virii".  His
mistake was in not noticing that one of the "i"s in "radii" was
already present in the singular.  In any case, the hideous mis-
spelling "virii" has propagated faster than a virus and has become
quite common on our list.

 Ben says that to form the plural of "virus", try "viruses" or, if
you must, "viri".  But Greg (LYPOWY@UNCAMULT) says it can only be
"viruses", not "viri".  Greg is right ... but for the wrong reason.
He claims that it is because "virus" is NOT a Latin word.  But it most
certainly IS.  (It means "poison", "slime" or "stench".)  However, the
point is that not all words ending in "us", *even if they are of Latin
origin*, form their English plurals by replacing the "us" by "i".  (If
you think otherwise, try using forms such as "circi", "chori",
"minusi", "boni", "campi" and "cauci"!)

 In the present case, as you'll find if you consult a comprehensive
enough dictionary (like Webster's Third New International),
"viruses" is the only correct plural form.  "Viri" is an
understandable mistake; "virii" is a gross error.

                                          Y. Radai
                                          Hebrew Univ. of Jerusalem

 P.S.  Since our terminology is based so much on analogy with
microbiology, try any textbook on that subject.  I've never seen any
form there other than "viruses".  If the microbiologists can get it
right, why can't we?

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.