VIRUS-L Digest            Wednesday, 30 Nov 1988        Volume 1 : Issue 25

Today's Topics:
Security holes (Internet & Un*x) & FSP query (PC)
Internet Worm and Analogies
Did MORRIS break the law?
query re: hardware security (PC)

---------------------------------------------------------------------------

Date:     Tue, 29 Nov 88 11:38 EDT
From:     Paul Coen <PCOEN@DRUNIVAC>
Subject:  Security holes (Internet & Un*x) & FSP query (PC)

       Someone (I forget who) just posted a mesage saying that the
security holes allegedly exploited by Mr. Morris were not well known.
If I'm not mistaken, Mr. Morris Sr., as well as other security
experts, warned about the potential security risk posed by the very
hole the worm used.  In my opinion, any sysadmin who does not pay
attention to what security experts are saying about his or her own
operating system is not doing his or her job.  If the sysadmin doens't
have the time, hire a system security manager!

       Also, this talk of what punishment Mr. Morris should face is
starting to wear a bit thin...nothing any of us say about it is going
to change any opinions here.  Let's get back to the viruses (that's
how I spell it, same way I refer to computer mouses, :-) okay?)!

       One question, does anyone have an opinion (from use, please!)
on the reliability of FluShot+ 1.4 for the IBM PC and compats?

       Also, a friend of mine has a hard card, on a Zenith Z-157
(100% PC compatable, supposidly).  Using DOS 3.2, he can access his
card.  However, if he puts a floppy in drive A and boots off of it
instead of the card, and the disk has the MS-DOS 2.11 system, it
doesn't know that his card is there...anyone trying to do anything
with drive c: is told that it is an invalid drive specification.  Two
questions: Why? and Can this be used to protect his hard card while
test possibly hazardous software, as a virus or trojan horse couldn't
find the C: drive?  (He's going to be the sysop of our school
owned/operated BBS, and will have to test uploads.)  It seems to me
that if DOS doesn't know that the card is there, nothing else can
access that, but this is only a hunch.  Anyone out there know?
Thanks.

+----------------------------------------------------------------------------+
| Paul R. Coen    Student Operator, Drew University Academic Computer Center |
|   Bitnet: PCOEN@DRUNIVAC       U.S. Snail:  Drew University CM Box 392,    |
|           PCOEN@DREW                        Madison, NJ 07940              |
|   Disclaimer:  I represent my own reality.                                 |
+----------------------------------------------------------------------------+

------------------------------

Date:     Tue, 29 Nov 88 16:53:49 MST
From:     [email protected] (Reid Fletcher)
Subject:  Internet Worm and Analogies

> Theodore Ts'o <[email protected]> writes:
>                                                    ... For example, it
>is a fact that the average lock on the entrance to the average American
>home can be picked in thirty seconds or less.  However, you won't find
>any robber arguing that it was the homeowner's fault that he didn't have
>a better lock on the door!

Even though they probably should have.  Sincerely!

>                  ... Whether the crime is rape, robbery, or letting a
>computer virus loose on the net, using that particular form of logic is
>equally invalid.
>                                               - Ted

   Mr. Morris' release of the Internet Worm was wrong whether or not
a law exists prohibiting it.  However, the crimes that have been used
as analogies here and elsewhere are far more heinous and not
analogous.  I speak of murder, rape, burglary, robbery, assault.  What
he did was analogous to trespass and scattering litter with it's
attendant environmental impact ;-).  Rape is a crime involving
terrible personal mayhem.  Usage of the term evokes strong emotional
or sensational responses not appropriate to Mr. Morris' dirty deed.
Robbery is a type of theft.  He did not steal anything (at least so it
seems).
  About the estimated $20 million in resources spent cleaning up the
mess: When a person's home is burglarized, the homeowner has to expend
time determining what has been taken, dealing with the police reports,
etc.  Those resources are generally never recovered.
                                                     Reid

+-----------------------------------------------------------------------------+
! Walter Reid Fletcher, WB7CJO          Bitnet:  FLETCHER@UWYO                !
! Vax Facility Manager                           FLETCHER%LODE@UWYO           !
! Department of Geology and Geophysics           FLETCHER%MOHO@UWYO           !
! University of Wyoming                                                       !
! Laramie,  Wyoming                   Internet:  [email protected]     !
+-----------------------------------------------------------------------------+

------------------------------

Date: Tue, 29 Nov 88 14:24:45 PST
From: James Robert Dishaw <[email protected]>
Subject: Did MORRIS break the law?


Did MORRIS break the law?
   This is a very intresting question, as pointed out by another
suscriber.  NO ONE can say that he has indeed broke the law, that is
to be decided by a jury, so until then he is innocent.  The more
intresting question is the law itself.  Currently the United States
Code has a very weak stance to computer crimes.  The reason for this
weakness is a culmination of several factors: How do you assess
damages, what is tresspassing, ignorance on the part of the lawmakers,
and jurisdiction.
   Some people claim that a computer has been damaged only when
hardware failure occurs, others also include software damage.  I tend
to support the latter.  Software is an investment and requires
valuable resources to maintain (in the form of programmer-hours).
When the programming staff has to spend 500 hours fixing software
damage done by a virus, it is a major waste of programming resources
better spent elsewhere.  When a user causes accidental damage to
hardware/software, that falls under operational costs, whereas viral
damage is intentional and causes a diversion of limited resources.
There is no way a comparison between user and viral damage can be
drawn, they entirely different concepts.
   Tresspassing is the next major point.  I have heard some people
claim that computer networks should be open networks.  I have to
disagree, on most, if not all, systems research is being performed and
that requires security.  There is something called intellectual
property in this country and it deserves to be protected.  Also, the
networks that connect the different sites exist for the purpose of
transmitting information to authorized users.  There are networks that
are open to all sites (like BITNet, ARPANet, Janet) but some are
restricted for good reason (JNet, MilNet).  Furthermore, at many sites
users have to pay for the time the use, so when illegal use of a
computer occurs, there is a theft of service and an attempt to defraud
the rightful owners.
   As incredible as it may sound, computers are still new.  The
lawmakers (eg. Congress) are not familarized with computer crime.  A
solid effort has to be made by the computer industry (both hardware
and software) to educate the lawmakers on this issue.  The perfect
example is software licenses.  When one "buys" a software package,
only a license to use the software is provided.  If one takes the
oppurtunity to read these licenses, the first thing that one will
notice is the differences.  Borland International (at least in there
early licenses) defined the package to be copyrightable material like
a book, usuable in one place.  Is software patented or copyrighted?
How about networks?  What constitutes piracy?  Everybody has there own
definition, but a standard has to come forth from Congress.
   My last point is on the question of jurisdiction.  My solution is
to make computer crime a federal offense, that way it falls under the
jurisdiction of the federal government.  With the advent of electronic
networks, computer crimes can occur at the national level (as
evidenced by nVIR, the ARPANet virus, etc...)  Instead of letting each
state set its own rules, make it a federal offense.  This provides
certain benefits in enforcement, since the crime would fall under the
jurisdiction of the FBI.
   The computer community has taken some bad knocks from the actions
of overcurious hackers, who despite all reason, do questionable
things.  It may be fun to hack around, but don't do any damage.


                                  -Bob

All opinions expressed here are entirely my own.  Flames cheerfully
accepted.

------------------------------

Date:     Wed, 30 Nov 88 03:12:14 -0900
From:     BYUNG H LEEM                     <[email protected]>
Subject:  query re: hardware security (PC)

Hi!
I was hoping someone could tell me whether security cards (plug in)
for the pc (like Triad+ from Micronyx) will prevent viruses from doing
what they do... Also, why is it that pc's are intrinsically insecure?
I've heard a couple of people mention direct write access to memory
but can't such access be prevented?  (how is it done?)  Also, does
anyone know Fred Cohen's bitnet (whatever net) id? (if he has one)
Thanks!
Bill
FTBP@ALASKA (Byung Hee is my wife!)

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.