VIRUS-L Digest Monday, 14 Nov 1988 Volume 1 : Issue 6
Today's Topics:
Compute's Book of Computer Viruses
Re: digesting
ramifications
Sharing the Blame
Security Expert ?
Digest truncating.
Nov 3 virus
Mail extract from UNIX-COMMS in UK...
Digest form of VIRUS-L...
Usefulness of VIRUS-L "worm" coverage
Naming these nasties...
Sending large chunks of RISKS digests...
RE: More Virus
Transcripts Wozniak/Cohen
---------------------------------------------------------------------------
Date: FRI NOV 11, 1988 21.18.33 EST
From: "David A. Bader" <DAB3@LEHIGH>
Subject: Compute's Book of Computer Viruses
Has anyone read this book yet? I just got it; and as soon as I read
it; I'll tell you what I think of it...
-David Bader
DAB3@LEHIGH
------------------------------
Date: Fri, 11 Nov 88 17:12:36 CST
From: "Mark R. Williamson" <MARK@RICE>
Subject: Re: digesting
>Date: Fri, 11 Nov 88 11:29:21 CST
>From: Steven McClure <SNMCCL@LSUVM>
>Subject: digesting
>
>digesting the list is in my opinion an idea whose time has come, but
>it creates a problem. For some reason, all my mail messages are truncated
>at 200 lines. Is there any way around this problem??
Mr. McClure, are you perhaps using the VM command PEEK to read the
digest? By default, it only shows you the first 200 lines of any
file in your reader. You can increase this number for a specific
invocation of peek by including the "FOR nnn" option (to show nnn
lines) or "FOR *" (to show them all, if you have the memory). You
can also increase your personal default with the DEFAULTS command.
(See the help for more information.)
For example: PEEK 1234 (FOR 1000
or, from RDRLIST: PEEK / (FOR 1000
to set default: DEFAULTS SET PEEK FOR 1000
Mark R. Williamson, Rice University, Houston, TX;
[email protected]
------------------------------
Date: Fri, 11 Nov 88 16:29:12 EST
From: "Homer W. Smith" <CTM@CORNELLC>
Subject: ramifications
I agree whole heartedly with Ken Van Wyk's analysis of the potential
damage caused by the virus if people close down the networks to easy
access.
I live in Ithaca which is full of gorges in which we often go
swimming. Most go skinny dipping so this practice is barely tolerated
by the town at large [Ed. Ta dum dum :-)]. But the place we go is so
far away deep into the woods that no one really cared.
At one of the resevoirs there was a tree with a rope that
kids would swing off a cliff out over the water. It was
fun and scary but that is what childhood is about right?
Two years ago some high school student (straight A's,
head of his football team, never did wrong in his entire life)
got very drunk and took a ride on that rope. He froze and swung back
hitting the cliff stunning himself. He fell into the water and
drowned.
His parents sued the city for irresponsibility and so the city
forbade swimming in the gorges and now patrol the place with police
every summer. I was one of the first to be arrested for going there.
This was a major loss to us who are used to the various
assets of Ithaca. Although we feel sorry for this one kid,
and his parents, many of us who otherwise would have behaved
in a responsible manner at the gorege find it hard to find
any sympathy for either of them as they have punished others
for their own irresponsibility.
What was this clean cut 'mothers' boy doing getting drunk?
If people get too scared the networks will be shut down.
Humans react in this way.
That is why we must harness these destructive forces (bad hackers)
for the good of the world before it is too late.
I have been very close to the edge of being a bad hacker myself
during my high school years and have stories to tell of shenanigans
that caused IBM much eye brow raising. Boy do I wish someone had
come along and said I was a useful person and put all that
good energy to good use. I would have been as loyal as you please.
In fact IBM did just that and I got meet all my idols, Kenneth
Iverson among them. This was in 1969.
Sometimes the people who are not trying to do damage, just
trying to have some fun and scare the elders end up doing the
most social damage. We must harness them on a nation wide basis
before we all get harnessed in the impending panic.
They would make a terrific force against the true terrorists
and malicious pranksters that infiltrate our society. Fortuantely
the more criminal you are, the less bright you are, so we have the
edge.
Homer
------------------------------
Date: Fri, 11 Nov 88 15:57:43 CST
From: Scott Guthery <
[email protected]>
Subject: Sharing the Blame
If there's going to be some penalty hits passed out for the net virus,
I'd say that the guy who programmed the hole and the system administrators
who ignored AT&T's memo about the hole deserve as many -5's as Mr. Morris.
In fact were I Mr. Morris' counselor (I'm not even an attorney) I'd certainly
talk a lot about contributory negligence. System administrators who sue
may get to share another experience with Mr. Morris.
------------------------------
Date: 11 Nov 88 19:55:00 EDT
From: "HUNT, DOUG" <
[email protected]>
Subject: Security Expert ?
Well, I finally heard it the other night -- Ted Koppel, who I happen to
think is one of the best interviewers in the popular media, had a program
on the internet events, and (Wozniak's inane remarks aside) Koppel said
something to the effect that if the culprit was not convicted he would
certainly going to have a career in computer security.
NUTS !!!!
Making no assumptions as to the guilt or innocence of anyone (people ARE
presumed innocent until proven guilty -- not the other way around) the
continued practice of the computer industry and commercial/education/
government institutions in lionizing the reprehensible and unethical
members of the discipline is astounding. We do not hire murders as
police chiefs, and we do not hire embezzelers to guard the cash drawer.
Whether the scope of damage was beyond that invisioned, I have NO USE
WHATSOEVER for anyone who even considers to initiate such a program in
which there is even the most remote possibility of damaging other's in
data, stealing their private information, or denying them the use of
their resources.
The industry can do well without these folks!
They are and should be treated as pariahs -- redemption of souls is
the province of another disvcipline. The perpetrators of such
malicious code have shown themselves to be untrustworthy, and lacking
in ethical standards or common consideration for others, including
their peers. There should be no place for them in the research,
government, or commercial insitutions where they may someday wreak
more havoc and will profit from their behavior and lack of moral
character.
FLAme off.
Doug Hunt
[email protected]
The opinions expressed etc........
------------------------------
Date: 12 November 1988, 16:24:06 ECT
From: Stig Hemmer HEMMER at NORUNIT
Subject: Digest truncating.
We have had a 200 lines' problem here too. It was our mail-reader
program PEEK that truncated the mail. Try receiving the digest and
THEN read it. If it is untruncated, then there are some easy
solutions:
1) Use another mail-reader e.g. LOOK
2) Tell your mail-reader to accept longer files. In the case of PEEK it is:
DEFAULTS SET PEEK FOR *
3) Receive your mail before reading it.
4) If none of this works try asking a local guru.
-Tortoise
[Ed. We got quite a few of these PEEK related messages. I hope that's
what the problem was for the people who were getting their mail
truncated at 200 lines...]
------------------------------
Date: 12 November 1988, 18:17:24 ECT
From: Stig Hemmer HEMMER at NORUNIT
Subject: Nov 3 virus
Well, lets ask ourselves what would have happened if the virus had
been silent as intended: Somebody would find it and make it harmful.
We have seen it before. NOBODY in their right minds should release a
'silent' virus.
-Tortoise
------------------------------
Date: 13-NOV-1988 07:32:55 GMT
From:
[email protected]
To: VIRUS-L@LEHIIBM1
Subject: Mail extract from UNIX-COMMS in UK...
Sender: Peter_Morgan (Brighton Polytechnic Computer Centre) <pgm@
VMS.BTON.AC.UK>
From: Syngen Brown <
[email protected]> 8-NOV-1988 19:42
Systems I checked: Ultrix 2.0 HLH (Orion) OTS v.2
SUN v.4 Gould UTX32 v.2 Original 4.2BSD from UCB
Of the above, only Ultrix 2.0 had sendmail compiled without debug, and
if I remember correctly, Ultrix 1.2 sendmail was compiled *with*
debug.
------------------------------
Date: 13-NOV-1988 08:00:56 GMT
From:
[email protected]
To: VIRUS-L@LEHIIBM1
Subject: Digest form of VIRUS-L...
I'd asked colleagues in my department whether they were interested in
receiving snippets from VIRUS-L, since we have seen one, and are
tackling publicity at the moment. I was acting as a filter, rather
than the local virus killer/expert, in that all I'd do would be
forward appropriate msgs.
Can I PLEAD with contributors to indicate "MAC" or "IBM" (or neither,
when a message is related to more general reading) in the Subject line
so that extracting pieces for other people is made a little easier?
At present, I don't have an undigestify tool (except the editor) and
my other experiences of Digests being considerably delayed was borne
out by the five which appeared yesterday, in order 3/4/5/2/1, mingled
with other msgs, inc the ASCII junk (yes, I'm not totally against a
Digest).
I'll see what can be done to that nuisance mail person from UK -
suggesting the SysMgr changes his p/w, logs in as him, and sends a
SIGNOFF * to find out what else he has been subscribed to!
- --end--
------------------------------
Date: 13-NOV-1988 07:30:11 GMT
From:
[email protected]
To: VIRUS-L@LEHIIBM1
Subject: Usefulness of VIRUS-L "worm" coverage
Dear Ken, you asked about how helpful VIRUS-L was for sites hit...[not
us]
In the UK, I'm a subscriber to a few lists, and set up a local
distribution mechanism for the more popular ones (INFO-VAX, VAXVMS)
and I scan the text before I delete it [don't trust fully automated
deletions].
VIRUS-L was the first source (for me) about the Internet worm. I
don't read ANY daily newspapers, and hadn't heard radio or TV news
about it. That was on Friday 4 Nov @ 21:00 GMT. I checked the UK's
SUN mail list, and another list called UNIX-COMMS [ZERO! we aren't on
any other Unix list (or USENET/News)] There were pictures from USA on
5th Nov TV News, and comments on radio.
Since I expected few people to be at work Sat/Sun, and there was
potential for students to find out about the mechanism before Monday,
I posted an offer to the UNIX-COMMS list to pass info upon request [so
any users on lists WITH info would not curse me, and since the list is
quite strictly "about OSI ideas and problems", so I [=site] wouldn't
be removed by some administrator].
Monday I received around 10 requests for more information. Follow-up
comments:
"Many thanks, less than 30 mins after I mailed for help our University
Accountant was expressing his panic to Xxxx Xxxxx (Director and Boss)!"
"Thanks for passing on the (very interesting) details. Alan."
"Many thanks for sending this stuff on."
- --end--
------------------------------
Date: 13-NOV-1988 08:14:38 GMT
From:
[email protected]
To: VIRUS-L@LEHIIBM1
Subject: Naming these nasties...
I know some things ("Brain" and "nVir") have been named, but can I
suggest others be called <machine>-<class>-<sequence>
Someone listed a number of classes (Virus, Worm, Bacterium +
<other??>) so how about a file on LISTSERV@LEHIIBM1 called VIRAL
CLASSES and an index as VIRAL INDEX ?
<machine>-<class>-<sequence> eg MAC-B-01 or IBM-W-03 could be
identifiers for "unnamed" things, such as the one which was tagged
"Norton virus" because it was found on a Norton Commander disk... That
"tag" is misleading, since it could move to <your-favourite-software>
and it appears to be a "new" one!
If someone has already built an index of the known worms/virii, could
they please let me know. Please don't tell me to pull the log files
and edit them.
What I'm looking for is a name, machine (& O/S if specific), any
description of the effects, a means of identifying this attacker, any
known cures, any detection methods that work, and detection methods
that fail.
- --end--
------------------------------
Date: 13-NOV-1988 08:38:53 GMT
From:
[email protected]
To: VIRUS-L@LEHIIBM1
Subject: Sending large chunks of RISKS digests...
Whilst I found the extracts from the RISKS Digests of interest, I do
feel that cutting (large) chunks from one digest and placing them in
another can be bad, if the original digest is stored on LISTSERVers
for a week or more.
My personal preference would be (a) to have lengthy messages near
the end of a digest, rather than the beginning, and (b) to put a
precis of an article in the digest, when it is an extract from another
[say 3-8 lines].
The latter would allow those who are already subscribers to skip a
paragraph without having several screens of text they've already
received, and let those *who feel it important enough* to get it from
the nearest LISTSERVer. They, in turn, might find other topics they
want to follow, and if they subscribed to a different list, would
benefit from just a paragraph to read instead of lengthy extracts.
I've cut the list below and you can see there are two RISKS handlers
on this side of the Atlantic (FINHUTC and IRLEARN) and a number
elsewhere. Cutting to a paragraph would let VIRUS-L Digest get
through faster, too!
USER$DISK_2:[COMPUTER_CENTRE.PGM]BITNET.GLOBAL-LISTS;1
RISKS MD4H@CMUCCVMA (Peered) Risks List
RISKS@FINHUTC (Peered) Risks in the use of computer systems
RISKS@MARIST (Peered) Risks List
RISKS@UBVM (Peered) Risks List
RISKS@UGA (Peered) Risks List
RISKS-L RISKS-L@IRLEARN Discussion of Risks to Public in the Use of C
- --end--
[Ed. LISTSERV is a smart program; if you subscribe to a list that is
peered by a LISTSERV closer to you, it will forward your subscription
request to the appropriate LISTSERV. So, it shouldn't really matter
which LISTSERV you subscribe from. As for the RISKS submissions; I
tried to include the messages that I felt were of interest to our
readers. It won't become a habit to send large chunks of RISKS out to
VIRUS-L readers, but there was some very good discussion about the
Internet Worm there, so I passed them on. Also, I send out digested
messages in the order in which I receive them.]
------------------------------
Date: Sun, 13 Nov 88 14:44 EDT
From: Paul Coen <PCOEN@DRUNIVAC>
Subject: RE: More Virus
> It seems that some people think that Mr. Morris has done the
>nation a favor by exposing the weaknesses of our defenses to the rest
>of the world. It is a shame that we should have to invest all the
>resources that we do on national defense. However, some things are a
>necessary evil in order to protect our way of life here in the United
>States. If Mr. Morris' intentions were to expose any weaknesses in our
>defenses, then he could have found a more appropriate way to do so.
>Instead, he did in fact jeopardize the security of our nation by
>slowing response time and wasting man hours to stop his little
>'virus'. As many say, "The road to hell is paved with good
>intentions."
> Daryl Spillmann
Some points
1) This wasn't a virus, it was a worm. Was any data lost or destroyed
by this program? No. The program did not include the destruction of
data as part of its repetoire.
2) "Exposing the weakness of our defences to the rest of the
world"...face facts....anyone who wanted to could and has hacked on
the internet. all the worm allegedly written by Mr. Morris did was
show the american public hwo many holes there were...face it, the
Soviets have known for years, and anyone who doesn't think so is
burying his/her head in the sand.
3) The above point is why machines with truly crucial data are not in
the Internet. From what I've seen, a good number of the infected
machines were mail servers. Whoopy-doo.
4) Harming national security by wasting man-hours...yes it wasted time
& MONEY, but I can't really take seriously the assertion that this put
our national security at risk. The sysadmins and sysmanagers who had
to get the ^@$^#*$ worm out of the systems aren't the people who are
responsible for monitoring world activities, etc. This thing was more
noise than danger. yes, it was embarassing, yes, it wasted time.
However, there's no need for the wringing of hands. Face it, IT
COULD HAVE BEEN WORSE, and it probably will be at some time in the
future, since I doubt this is the only hole in Internet and Unix.
Unix has security that brings the phrase "wooley thinking" to mind.
5) Appropriate way to show weaknesses in our national defence....like
what, actually destroying data? Or hacking into a secure system that
really had important data? The possibilities are endless. I think he
picked a dramatic but relativly benign way to prove the point.
P.S. hey, the method of attack used by this worm is very elegant. If
Mr. Morris is indeed the author, I'll bet he's an excellent chess
player. ;-)
+----------------------------------------------------------------------------+
| Paul R. Coen Student Operator, Drew University Academic Computer Center |
| Bitnet: PCOEN@DRUNIVAC U.S. Snail: Drew University CM Box 392, |
| PCOEN@DREW Madison, NJ 07940 |
| Disclaimer: I represent my own reality. |
+----------------------------------------------------------------------------+
------------------------------
Date: Sun, 13 Nov 88 23:49:06 CST
From: "STEVE M. JOHNSON" <SJ24764@UAFSYSB>
Subject: Transcripts Wozniak/Cohen
Those interested in the Wozniak/Cohen discussion may order transcripts
by sending $3.00 to:
NightLine Transcripts
Wozniak/Cohen
Journal Graphics
267 Broadway
New York, New York 10007
I doubt they will allow me to enter the transcripts into BITNET, but I
have asked for specific written permission.
Is there any problem with this, Kenneth?
[Ed. No, that would be great if you can get the permission!]
Steve M. Johnson
University of Arkansas -- Fayetteville
Hog's breath is better than no breath at all!
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
