VIRUS-L Digest Thursday, 8 Dec 1988 Volume 1 : Issue 39

VIRUS-L Digest Thursday, 8 Dec 1988 Volume 1 : Issue 39

Today's Topics:
RE: CERT organization
General Macintosh virus query
re: $95 million cost of Internet Worm
Spinrite (PC)
Bursting "HUNT, DOUG" <[email protected]>
Subject: RE: CERT organization

The CERT organization is not a single "team" of individuals, but
rather a network of the best and drightest "hackers" or wizards as
DARPA calls them at the colleges, universities and research
institutions which compose the ARPANet. These folks are intended to
be on call in the case of an emergency and coordinated through various
local points where communication and processing resources can be amde
available even if the NET goes down.

In a sense it is formalizing (but not too much) the actual ad hoc
activity that occurred around the last event. It also adds resources
and what not to support the activity and ensure that there are
reliable channels of communication and coordination for the ARPAnet
and Internet users. IT is focused on the Unix users community and is
actually coordinated out of SEI.

It is not truly a DoD activity although it has been organized and
supported by the DARPA folks.

ery

Hello,

I am an Academic Programmer at the University of Akron, Ohio. I am
interested in obtaining more information about viruses and the
Macintosh. I know that this is a fairly general request -- but I
don't have any specific questions.

We have experienced viruses on the Macintosh, but have not been able
to detect what they are nor do we have any vaccines for them. So I
would like any and all information relating to viruses and vaccines
that are available.

I would guess that there are several vaccines available as public
domain and I would like information about them. However, I have a
user who would like to purchase a vaccine (to insure integrity, etc.)
so if anyone has any information about vaccines available for purchase
I would like that also.

I am not on this list so any reponses can be sent to my E-Mail
address:

DUBOSE@AKRONVM

Thank you,

Kathy DuBose
The University of Akron

------------------------------

Date: Thu, 8 Dec 88 10:05:84) quotes an estimate
from USA TODAY saying that the cost of the incident exceeds
$95 million.
"This is based on 6200 computer affected, requiring 12 programmers at
each site to spend 36 hours each (at $22 per hour) checking out every
system that might have been affected, and adding in lost computer
time (16 hours per system at $372 per hour). However, even if this
figure substantially overstates the case, there is no doubt that the
true costs were indeed in the millions of dollars."
..End Quote

Like many others, when I read this I pulled out my calculator to
check how they combined those numbers (ie how many computers are
they assuming per "site"?). Sure enough, $95 million comes from
assuming one computer per site. I think that's nonsense. I'll
bet the average is AT LEAST ten computers per site. We're pretty
small potatoes here and we had something like fourty computers
get hit. That means in order to keep up with the Jones'es, we
should have thrown 12x40 = 480 programmers at the problem. You
should not be surprised to say that we managed to handle the
incident with less than one dozen programmers total. Computers
and programming does not scale in the normal manner. Chances
are, as the number of computers at a site went up, the number of
programmers required per machine went down nearly exponentially
(if you only have three machines, you probably have no idea about
how they are connected, but if you have 200, you know EXACTLY how
every one is connected to every other).

If we re-do the NCSC's calculation assuming 10 machines per site
and 12 programmers per site, we get a cost of only $40 million.
If we then note that the widely quoted 6000 machine number
originated in a press conference at MIT where somebody (Jeff
Schiller?) made a complete guess, then we have to wonder about
the 6200 number (6000 +200 to give it an extra significant
digit?). I've heard much smaller numbers sugested by others
(such as three thousand). That would pull the cost down to more
like $20 million.

I don't mean to imply that my number is any better than theirs,
but if somebody gives you some numbers and then draws a
conclusion from them, you have an obligation to see if their
conclusion agrees with their numbers, and I think in this case
that the answer is that it doesn't. One computer does not a site
make.

Sorry about that... my two sentence flame
seems to have gotten a little out of hand.
thanks for staying with me...

- Don Alvarez

+ ----------------------------------------------------------- +
| Don Alvarez MIT Center For Space Research |
| [email protected] 77 Massachusetts Ave 37-618 |
| (617) 253-7457 Cambridge, MA 02139 |
+ ----------------------------------------------------------- +

------------------------------

Date: Thu, 8 Dec 88 11:00:58 CDT
From: Len Levine <[email protected]>
Subject: Spinrite (PC)

>From: 3ZLUFUR@CMUVM
>Subject: Low level format (PC)
>
>In v. l:31, H. Smith asks about reformatting hard disks. I'm not a
>tekkie, but I assume SpinRite will do the job. It is advertised
>mainly as a way to low level format hard disks while leaving all data
>in place.
>
>It is put out by Gibson Research Corp (Box 6024, Irvine, CA 92716) and
>I think my copy was about $60. This is the Gibson that writes a
>column for Inforworld.

I use it regularly. Spinrite will NOT clean out viruses that have
been written to your disk, it will very carefully remove them,
reformat the disk, and then replace them, just like it does with any
other code.

It will, however, "fix" bad blocks that a virus has used to secrete
stuff, and make them available to the disk again.

No, if you want to truly clean out any stuff on the disk, a true low
level reformat with all stuff deleted is the only way.

As stated earlier in this newsletter, low level formatting is nuclear
warfare against a virus.

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Leonard P. Levine e-mail [email protected] |
| Professor, Computer Science Office (414) 229-5170 |
| University of Wisconsin-Milwaukee Home (414) 962-4719 |
| Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

------------------------------

Date: Thu, 8 Dec 88 13:14 EST
From: "SysOp: HelpLine BBS (703) 269-4802"
<STU_CWHITES@JMUVAX1>
Subject: Bursting Digests for VAX/VMS?

Although I do like the new digest format, when I want to
forward one message from a digest to someone I have to
extract it from mail, and then edit out the particular
message. Does anyone know of a way to burst the digest
into individual messages? Our system is a VAX. Thanks!

Chip Whiteside
STU_CWHITES@JMUVAX1

[Ed. GNU EMACS is available for VMS machines (we have it running on
ours), and it does have an undigestifer. However, it's undigestifer
is meant to work with standard Unix RMAIL files, and it may take some
work to get it to work in VMS. Anyone out there have any better
solutions for VMS machines? How about others, like IBM VM/CMS?]

------------------------------

Date: Thu, 08 Dec 88 14:33:26 EST
From: "Christian J. Haller" <[email protected]>
Subject: Re: Cost of the RTM worm

>The Computenewsletter (#84) quotes an estimate
>from USA TODAY saying that the cost of the incident exceeds
>$95 million.
> "This is based on 6200 computer affected, requiring 12 programmers at
> each site to spend 36 hours each (at $22 per hour) checking out every
> system that might have been affected, and adding in lost computer
> time (16 hours per system at $372 per hour). However, even if this
> figure substantially overstates the case, there is no doubt that the
> true costs were indeed in the millions of dollars."
- ---------------------
I heard a reporter called somebody at UC Berkeley and asked how many
computers they had (around 1000) and what percentage were affected
(around 10%), and then blindly applied this percentage (for a highly
networked campus) to the number of computers on the Internet. The
real percentage is probably much lower.

Also, what is this about 12 programmers at each site spending 36 hours
each at $22. per hour? Most of the computers I know aboey, either.

These estimates seem like the most hoked-up, self serving bull!**!
The commercial sources of them should be ashamed.

- -Chris Haller, Cornell University

Disclaimer: My opinions are independent of any official positions of
my employer. And I don't know RTM. And maybe he didn't even do it.
Acknowledge-To: <CJH@CORNELLA>

------------------------------

Date: Thu, 8 Dec 88 14:55:10 EST
From: Don Alvarez <[email protected]>
Subject: re: CERT/SWAT teams

Conventional SWAT teams are effective because the law enforcement
community has been able to identify a relatively small number
of basic scenarios which cover 95% of the crimes they need to
respond to. The SWAT teams are then able to drill the heck out
of those scenarios (hostage-taking, bank-robbery, etc.).
When they move in, the SWAT team has the advantage of already
having been under fire, and of having practiced against exactly
the scenario in question. The cand is not well understood. People
don't understand network vulnerability well enough to develope
the same sorts of detailed scenarios that the guns and bombs guys
use. Even worse, the possible responses to computer crime are
fairly limited and easy to predict, so in this case the criminal
has the advantage of a relatively inexperienced adversary with
a limited set of options -- exactly the reverse of the case that
the SWAT team relies on.

The other advantage that a SWAT team has is detailed knowledge
of their comrades strengths and weaknesses. There does not
need to be any discussion as to who will handle a given task:
the choice is always obvious in a well prepared team. This IS
something that a CERT-type team could work on. Another advantage
of a SWAT team is that it can mobilize in a hurry and has good
communications facilities. This is another thing which a CERT
team could use to its advantage. One you were on the same side. Basically, in my opinion a CERT team
would basically be an exercise in group dynamics, collecting and
organizing a group of people who through the course of their
everyday work have acquired the requisite knowledge to attack the
problem. If done proberly, this could be extremely effective.
If done improperly, it could actually reduce your ability to
respond because one would place too much trust in the capabilities
of the members of the team.

It all boils down to who is on the team and how you handle them.
Even a single piece of paper with names and phone numbers on it
could make an incredible difference. It would not, however, be
a SWAT team. There are a lot of people in the military who
spend their time studying group dynamics. If you can find someone
who understands both group dynamics and computer crime, and bring
them into the picture, then you have the possibility of turni- Don Alvarez

+ ----------------------------------------------------------- +
| Don Alvarez MIT Center For Space Research |
| [email protected] 77 Massachusetts Ave 37-618 |
| (617) 253-7457 Cambridge, MA 02139 |
+ ----------------------------------------------------------- +

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253