VIRUS-L Digest Wednesday, 23 Nov 1988 Volume 1 : Issue 19

VIRUS-L Digest Wednesday, 23 Nov 1988 Volume 1 : Issue 19

Today's Topics:
next it will be the Nazi terror...
Re: Morris and punishment.
follow up on "hacker" paper anncmnt
Going easy on Morris
SCORES Virus (Mac) Sighted At Washington State U.
Jurisdiction & the Morris case
Morris and 'security'
Re: Info on CHRISTMA EXEC (IBM VM/CMS)
Computer Security Conferences
Hardware Vandals
Re: The $20 million figure for lost time...
Virus and ETHICS articles

---------------------------------------------------------------------------

Date: Tue, 22 Nov 88 13:01 CST
From: Gordon Meyer <TK0GRM1@NIU>
Subject: next it will be the Nazi terror...

Jeff Ogata recently compared the Internet worm damage to a drunk
driver killing sombody, and the Union Carbide "accident" that killed
and maimed many.
Jeff, I don't want to single just you out...this has been a problem
with many postings.
Can we PLEASE stop talking like this virus did actual physical harm
to somebody?! Sure...it may have eaten up hours of system time,
used up overtime money for system programmers, and generally
caused some headaches. But nobody was killed or maimed!
Only by sticking to a reasonable analogy can we counter the
hyperparanoia that things like this generate.
Thanks for your attention
- -=->G<-=-

Gordon R. Meyer, Dept of Sociology, Northern Illinois University.
GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365
Bitnet: tee-kay-zero-gee-are-em-one at enn-eye-you
Disclaimer: Grad students don't need disclaimers!
I'll have an opinion when I get my degree.
- --- BE YE NOT LOST AMONG PRECEPTS OF ORDER... (book of Uterus) ---

------------------------------

Date: Tue, 22 Nov 88 19:08 EST
From: Ain't no livin' in a Perfect World. <KUMMER@XAVIER>
Subject: Re: Morris and punishment.

Whether or not Mr Morris' virus caused harm or was intended to
isn't the issue here. In other areas we can see that intention to
commit a crime or break a law doesn't play a part in penalizing
someone or another organization for a crime committed. For example,
this October, the NCAA put the University of Cincinnati basketball
and football programs on 3 yrs. probation for recruiting violations.
Their football team has had 6 consecutive loosing seasons and thier
basketball team's last appearance in a post-season tournament was in
1985 in the NIT. The NCAA even said they didn't intend to commit
these violations, and clearly no harm was caused because they've got
such bad teams anyway. But what the NCAA did see was the need to protect
the other schools that participate from unfair recruiting tactics
commited by teams trying to get an unfair advantage.

This is similar to what has happened with this virus. Even
though it was not intended to cause harm, and probably caused very
little, it was annoying for those involved with it. Everyone else
who tries to use a computer for honest means should be protected from
the select few who want to annoy people with their talents.

Tom Kummer

------------------------------

Date: Tue, 22 Nov 88 22:50 CST
From: Gordon Meyer <TK0GRM1@NIU>
Subject: follow up on "hacker" paper anncmnt

As of 11/22/88 10:30pm CST I have responded to all requests
for my paper ("Hackers, Phreakers, and Pirates: The Semantics of
the Computer Underground"). Those of you who asked for one should
be getting it shortly. Thanks for your interest, and I look forward
to hearing any comments you may have.
If anybody still wants a copy, I'll continue to send it. But I'm
going away for Thanksgiving so my response time will be delayed.
Apologies to those that had trouble getting through to me. I've
learned more about the various networks and mailing methods than
I ever cared to know! :) So far none that I've sent have bounced
back (with one exception...see below) but let me know if you don't
get your copy over the next couple of days (allowing for network
delays and such).
Thanks again for your interest, and happy thanksgiving to our
US readers.
- -=->G<-=-

* Keven Lepard ([email protected]): our mailer doesn't know
anything about "albion". Can you supply an alternate address?

Gordon R. Meyer, Dept of Sociology, Northern Illinois University.
GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365
Bitnet: tee-kay-zero-gee-are-em-one at enn-eye-you
Disclaimer: Grad students don't need disclaimers!
I'll have an opinion when I get my degree.
- --- BE YE NOT LOST AMONG PRECEPTS OF ORDER... (book of Uterus) ---

------------------------------

Date: Tue, 22 Nov 88 21:57 EST
From: "Mark H. Anbinder" <[email protected]>
Subject: Going easy on Morris

Morris may not have ruined anyone's life, but he sure caused an awful lot
of trouble for one little grad student. What he did was against the law,
not to mention against all sane ethical values, and he should be punished
appropriately, as the law provides.

The comment that we left the holes in our systems and therefore should
blame ourselves for his intrusion is silly. If I leave my front door
unlocked and I'm robbed, sure it was dumb of me, but someone still broke
the law. Only if I put a sign at the roadside saying

FREE TELEVISION, STEREO
AND COMPUTER...

JUST WALK IN!

..could the robbery be considered anything but a robbery. Morris has
waltzed uninvited (or at least his program alter ego has) into our
computer systems, and even though he didn't maliciously destroy or
interrupt anything, it caused plenty of problems.

The man should pay for what he has done.

Mark H. Anbinder
Department of Media Services
Cornell University THCY@CRNLVAX5 [email protected]

------------------------------

Date: Tue, 22 Nov 88 15:26:35 PLT
From: Joshua Yeidel <YEIDEL%[email protected]>
Subject: SCORES Virus (Mac) Sighted At Washington State U.

The infamous SCORES virus has been sighted on Macintosh computers at
Washington State University. It was first sighted on a Macintosh in
our Computing Informtion Center, but it has since been seen on staff
computers and on disks in our Microcomputer Lab.

We are taking the obvious steps: distributing Interferon, Vaccine,
Virus Detective, and Virus RX to users on locked startup disks; and
writing and distributing a short document on what a virus is, how it
spreads, and how to detect, protect from and correct viral infections.

We are also instituting a procedure to prevent our MicroLab from being
a source of infection. We call it "disk washing". When the diskettes we
hand out to users are returned, they go in a "dirty disks" box. Before
they can be handed out again, we copy onto them the appropriate software
from locked backup disks that never circulate. It is exactly analogous
to washing dishes in a restaurant. Unfortunately, it's also quite a bit
of extra work -- an increment we certainly didn't need.

We also signed up for VIRUS-L -- whence this note.

------------------------------

Date: 23 November 88, 11:33:06 +0100 (MEZ)
From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1
Subject: Jurisdiction & the Morris case
Code: The Byte '+' (sent as '48'x) is meant as a paragraph sign.

Hi list,

the recent contributions and flames seem to neclect an important legal
distinction: criminal vs. civil law. At least in our country, this con-
stitutes quite a difference, and that'll probably be similar in USA.
Please read the following with the proviso, that I'm arguing due to
my understanding of German law, and that in USA things might be slightly
different. And forgive me, if I don't chose the correct legal terms.

Criminal law:
For writing or spreading a worm (as Morris did), you can only be
punished, if there's a law against such activity, such as the German
+303a, or that US Title mentioned recently. It depends on the exact
wording or context of the pertinent law, whether the act is prosecuted
ex officio, or only due to petition. Many articles in criminal law
(at least in Germany) draw a distinction on whether the act was
committed deliberately (more severe punishment), negligently (less
severe punishment), or through no fault (no punishment, at all).
In court, the attorney has to offer prove of the facts, and of the
responsibilty.

Civil law:
If you do damage to property of other persons or institituions, you are
liable for it. The affected may (at his/her discretion) sue the
perpetrator for damages -- regardless wether it was done deliberately
or negligently; in German law there are even cases, when you can sue
a person/institution for damage that was done through no fault: this
applies e.g. to Railway Companies for "inevitable" accidents.

My opinion:
As we got no answer as to the exact wording of that US Title, I cannot
guess, whether Morris can be punished or not. Personally, I agree with
those contributors to VIRUS-L pleading against severe punishment, as
there was probably no purpose.
If, however, everybody will sue Morris for the manpower devoted to down-
tracking and removing his worm, and if he will be sentenced to compensate
for those 20 Megabucks we've read of (not to forget lawyer's fees and
legal expenses for some 1000 civil law suits), his life will pretty well
be spoiled -- probably more than by a criminal punishment. He's in need
of a very, very good lawyer to obviate this threat. Again, the petioners
will have to prove Morris' liabilty and the amount of the damage caused.
Since Morris was not the only person liable for the success of the worm
(the programmers and system administrators, who left the back-door open,
are nearly equally liable), and since only the inevitable part of the
damage must be compensated for (e.g. no man-power to dis-assemble the
worm), Morris probably will not have to pay the full 20 M$, but even half
or a quarter of this amount will be more than enough to knock him out.

This will probably happen, regardless of our opinions.

Children, let this be a warning to you, and do not play with the fire!

Otto

------------------------------

Date: Tue, 22 Nov 88 20:32:16 EST
From: Jefferson Ogata (me!) <OGATA@UMDD>
Subject: Morris and 'security'

I've never heard anyone say that Unix systems are secure. Nobody was
offended in the least that a program could infiltrate those systems.
Anyone who might have thought his Unix system was secure would cer-
tainly have plugged the sendmail and fingerd holes already. The only
folks who got stomped by the worm were those who didn't care enough
about security to take protective measures. So the thesis that host-
ility towards Morris is the result of wounded pride is ridiculous.

In fact, I haven't detected any hostility towards Morris period. I
think Morris is generally regarded with a certain pity. The reason
people are clamoring for prosecution is manifold. Some would like
to use Morris to set an example towards other evil hackers. This is
reasonable, because Morris has achieved a high publicity level, and
because he did break the law. Another reason for prosecution is the
need to maintain as consistent a legal system as possible. This is
the reason why he cannot be sentenced to public service to make him
once again 'useful' to society. Our legal system is punishment
oriented; its purpose is not rehabilitation nor is it reentry into
society. It is unreasonable to treat Morris differently from other
criminals merely because of his reputed intentions. This is an
issue of the ethics of our legal system; it has nothing to do with
Morris' case in particular.

It is true that there was no security for Morris to break. This is
irrelevent. If you don't lock the front door of your house, this
does not constitute permission for anyone to enter. And if someone
entered every unlocked house in a major city, they would hopefully
be prosecuted, regardless of whether they stole anything.

In fact, Morris' program did 'steal' something. By reporting some
statistics on the infection rate as it spread, it was revealing the
level of security-mindedness of hundreds of systems. This consti-
tutes a blatant invasion of privacy. Consider if the person who
enters every unlocked house subsequently publishes a list of those
houses he was able to invade, thereby tipping off everyone as to who
the prime targets are. This is about to happen on an even larger
scale, as surveys of the infected sites are completed.

- - Jeff Ogata

------------------------------

Date: 23 November 1988, 14:09:48 GMT
From: Ahmet Koltuksuz (51)275858 BILSER3 at TREARN
Subject: Re: Info on CHRISTMA EXEC (IBM VM/CMS)

Hello Everybody;
I have recently requested some info on CHRISTMA EXEC on this mail list
as most of you guys will surely remember.Well wonders of wonders...lots of
very kind people responded in a highly informative way and I`m so much
proud of them. I would like to thank`em again....so let me put their
names and E_Mail addresses as to let everybody know these cooperative
people. Please all of you guys who are listed below accept my sincere
regards and thanks.

***** James FORD : <JFORD1 at UA1VM > *****
***** Gabriel BASCO : <GJB100C at ODUVM > *****
***** Rudi Van HOUTEN : <ACBHOUR at HUTRUUD > *****
***** Mark ANBINDER : <THCY at CRNLVAX5> *****
***** Dimitri VULIS : <DLV at CUNYVMS1> *****
***** Sean OWENS : <SEAN at PITTVMS > *****
***** Bob PARKS : <C27901RP at WUVMD > *****
***** Otto STOLZ : <RZOTTO at DKNKURZ1> *****
***** Christian MUELLER : <CHSTUD1 at DKNKURZ1> *****
Ahmet KOLTUKSUZ : <BILSER3 at TREARN>

------------------------------

Date: Wed, 23 Nov 88 09:51:59 EST
From: [email protected] (Eric Roskos)
Subject: Computer Security Conferences

> There are no proceedings, as such, that I am aware of.

Recently there's been a lot of discussion and questions raised about
the various computer security conferences, how to get their proceedings,
etc.

I've never heard of the CSI conference, but there are three major computer
security conferences each year, which do publish proceedings:

1) The IEEE Symposium on Security and Privacy, held each year in Oakland,
for which you can get the proceedings through the IEEE. If you're
an IEEE member, they're listed in the catalogs of publications they
send out once periodocally.

2) The DOD/NIST National Computer Security Conference, held each year
in Baltimore. I'm not sure how you get a copy of these proceedings
other than attending the conference. Almost everyone involved in
computer security attends this one; this year, it overlapped the
Virus workshop held near Lehigh, which is probably why a lot of
computer security people didn't make it to the Lehigh workshop.

3) The AIAA Aerospace Computer Security [Applications] Conference, held
each year in Orlando. I believe you can get copies of the proceedings
from the American Institute of Aeronautics and Astronautics,
370 L'Enfant Promenade, SW, Washington, DC 20024-2518. This year's
conference is being held in a few weeks (December 11-16). Some
of the people who contribute to VIRUS-L will be presenting papers
there, though not necessarily on viruses. :-)

All of these conferences cover fairly advanced research in computer
security (a lot of the people presenting papers have PhDs in Computer
Science or related fields), so if you are just casually interested
in viruses, etc., you may find them not particularly interesting.
They are regular academic conferences, just like conferences in most
fields of Computer Science, and are of a similar nature.

Also, (1) above, which generally has the most "academic" topics,
has a limited attendence. (2), as I mentioned, is attended by a very
large number of people and has a very wide variety of topics discussed,
and is probably the one to attend if you have to just pick one. They
generally cost around $400 or so to attend (the AIAA conference this
year was $465), although they may have student rates, I don't know.

------------------------------

Date: Wed, 23 Nov 88 10:21:17 EST
From: Don Alvarez <[email protected]>
Subject: Hardware Vandals

We've read a fair amount here lately about how one might
physically damage hardware with a piece of malicious code.
Unless I'm mistaken, there hasn't been much said on the
subject of how to PREVENT damage to hardware by malicious
code. I'm particularly interested in how chips with built-
in test features might affect the situation. Adding internal
test features basically means you give the chip an additional
new mode, in which (if it's a working chip and you know how
the innards are aranged) you the nasty programmer suddenly have
an enormous amount of control over the outputs of the chip.
If the testability features are serious enough, you might even
be able to turn inputs into outputs, with all the obvious fun
that would entail (a chip whould have that feature if it had
too few "natural" outputs for the number of internal registers
and such you might want to look at).

People have flamed about "secure" operating systems from an
anti-virus point of view. Lets extend this to hardware.
In general terms, what can you do, and what do you need
to know to try to configure an anti-vandal system? In a specific
sense, you need to know how all of your chips work and what
affects they can have if used in improper modes, but is there
a methodology one could use to ensure a reasonably safe system
in the general case?

As I understand it, we're supposed to be the good guys. It's
definitely important to know what the bad guys might do (and
really neat, to... that disk-drive resonant frequency hack is
cool!), but it's at least as important to think about what one
can do to PREVENT bad things.

Don Alvarez
[email protected]

Oh, yeah... here's my personal favorite hypothetical nasty...
Recently fired programmer in an automated factory programs
robotic arc welder to cut through LAN cable, bringing the entire
factory to a halt and blowing every transciever in the building.
(If you're going to go for the glory, you might as well
go all the way... I bet you could run the damages well into the
millions and cause a MONTH of down time for an entire factory
this way)

Have a nice day

NOTE: Don't try this at home, kids, these folks are trained
jello snorflers. Any resemblance between the words used here
and any actual ideas is purely a coincidence.

------------------------------

Date: 23 Nov 88
From: J.D. Abolins <OJA@NCCIBM1>
Subject: Re: The $20 million figure for lost time...

The first I heard of that figure was from a NBC-TV TODAY SHOW's
interview with Jihn McAfee about 2 weeks ago. He did not explain how
the figure was derived.

------------------------------

Date: 23 Nov 88 11:55:00 EDT
From: "AMSP6::CHRISTEVT" <christevt%[email protected]>
Subject: Virus and ETHICS articles

I N T E R O F F I C E M E M O R A N D U M

Date: 23-Nov-1988 11:54
From: Victor ET Christensen
CHRISTEVT
Dept: ASD/SCNX 676-111 (B)
Tel No: (513)255-/AV785-2064

Subject: Virus and "ethics" articles

The 21 November 1988 issue of "Government Computer News" (GCN) has two
articles that might be of interest to y'all:

"BIG GUNS TAKE AIM AT VIRUS," by Neil Munro, starting on page one and
continuing on page 100; subject matter should be pretty obvious.

"WHY SOFTWARE DEFECTS SO OFTEN GO UNDISCOVERED," by William E Perry, on
page 85; mentions some reasons why bugs/holes like those exploited by
the current worm don't get fixed...sounds like a bit of ethics to me.

So as not to violate any copyright laws, I have not included either
article in part/full...if there's enough interest to have them posted here,
I'll contact GCN and ask them for permission to do so; reply to my account,
not the mailing list, if you'd like to see them here.

THIS MESSAGE ALSO SENT TO THE TCP-IP AND ETHICS-L LISTS

ET B ME
VIC
!

------------------------------

End of VIRUS-L Digest
*********************H
Downloaded From P-80 International Information Systems 304-744-2253