Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I recently sent a TELEX message to Copenhagen. The recipient responded by
writing on the message he received from me and returning it by normal post.
I thus found that the TELEX carrier had appended text to my original message,
which struck me as unprofessional and unethical. The appended text reads:
FOR 1988 HOROSCOPE FORECASTS
CALL USA 62200 CODE 9150
Has anyone else noticed any such appendages to TELEX messages? (If you also
find out my horoscope for Sagittarius, please let me know what the stars
portend for me.)
Bruce N. Baker, SRI International
[Hmm. Sagittarius is depicted as a centaur (HALF-HORSE) shooting an arrow.
The question is whether this was a Trojan half-horse (since it attached a
second half to the message — BUT POSSIBLY EVEN CHANGING THE FIRST HALF?)
or a sleazy advertising campaign on the part of TELEX... Well, buses and
taxis routinely carry advertising. TELEXes cannot be too far behind!
Or perhaps this is like the Wells Fargo case of RISKS-6.27? PGN]
Some excerpts from T.R. Reid's "Personal Computing" column in the 15 Feb 1988 Washington Post: "...such programs [computer viruses] are rarely a threat in the personal computer world. And they are fairly easy to defend against." "...These cases [NASA, IBM xmas tree] involved networks of work stations or even bigger computers. That's the first key point to recognize about the computer virus reports--they don't involve personal computers." "If you never "feed" your machine anything but programs from established software houses, your machine will be immune." "If you like to call up bulletin boards to download programs...there is a chance that your hard disk could be infected by a virus program. The possibility is so unlikely that you really needn't worry much." "In sum, my answer to personal computer users concerned about computer virus is: Don't Worry." Rebuttal of the points mentioned is left to the humor of the reader. Joseph
Here are two contributions from "Computing Australia", 1st Feb 1988.
1) From the back page (the "laugh" page):
``From the 'If he had another brain it would be lonely' department.
A US auditing firm was training a group of taxation accountants in the
use of a Macintosh word processor. The demonstrator directed his students
to "Point and click with the mouse." One student raised his hand and
announced nothing was happening. On checking, the instructor found he was
clicking the mouse button and pointing at a screen icon — with his
forefinger! No doubt the student's progess report would have carried
the notation that he was a dis-a-pointer.''
The RISK? Sometimes, instructions are interpreted literally... Although
I can imagine the semantic confusion that could arise should a mouse ever
be teamed up with a touch-sensitive screen!
2) Elsewhere in the same issue (a "serious" page):
``Virus centre too risky: Canberra.
"Great risks" would arise from the setting up of a national information
security research centre to fight software viruses, according to
Technology Minister Senator John Button's Canberra spokesman. Queensland's
computer security expert Dr Bill Caelli has called for government funding
for such a centre. He said the proposed centre could develop tools to
analyse software packages to ensure they were virus-free and did no more
than they were supposed to.
Button's spokesman said "In general, the Government's attitude is `Let the
user beware'. We don't want to reject all calls out of hand but are not
planning any further regulation. There could be great risks: if the centre
or its tools validated a program and it turned out to have a bug [virus?],
it could face litigation.''
That last bit worries me - we can't even verify programs at the SOURCE level,
so, short of brute-force emulation, what hope have we got at verifying them
at the machine-code level?
Dave Horsfall (VK2KFU) ACS: dave@stcns3.stc.OZ.AU
Alcatel-STC Australia ARPA: dave%stcns3.stc.OZ.AU@uunet.UU.NET
11th Floor, 5 Blue St UUCP: {enea,hplabs,mcvax,uunet,ukc}!\
North Sydney NSW 2060 AUSTRALIA munnari!stcns3.stc.OZ.AU!dave
[There are unconfirmed reports that some of the "virus-killer"
programs themselves contain Trojan horses. CAVEAT EMPTOR. PGN]
Information Week, 2/22/88 has an article about computer viruses and another
about computer security. Both of the articles are pretty worthless, being
full of sensationalist statements and very little fact. But, they did put
the following in:
PC expert Eric Newhouse lists known contaminated programs that should be
avoided on public bulletin boards. If you have a copy of one of these
programs, consider it suspect even though some run fine. When no extension
is listed, the program has appeared with many extensions.
Arc List60
Arc513. QMDM110.Exe
Arc600 QMDM110A.Arc
Balktalk Quikbbs.Com
Discscan.Exe Secret.Bas
Dosknows.Exe Stripes.Exe
Egabtr Vdir.Com
Filer.Exe
(The rather weird capitalization scheme is theirs, not mine.)
Dave Curry, Purdue University
A club based in Canberra offerred someone $100 to write a program for the
Amiga that would do some timetabling for a conference that the club holds
annually. When the conference rolled around, the program was not ready
and the timetabling was done by hand, and there were many mistakes made.
A meeting was held recently, some three weeks after the conference. At this
meeting the programmer pointed out that although he didn't have a working
product, he had done a lot of work for the club, and asked for his $100.
He was asked why the program wasn't ready in time. He replied, "It's not
my fault. The program was hit by a virus which scrubbed my disk, and I
didn't have a backup."
The Risk? Well, it may be true that a virus scrubbed his disk; but there
was no mention of it until the meeting. With the proliferation of viruses,
and the big fuss that the media are making of them (that includes computing
industry newspapers, the major press and discussions on the net), it seems
to me that programmers now have a real handy excuse for not meeting their
commitments.
DavidP
Mr. David Purdue Phone ISD: +61 62 68 8165 Fax: +61 62 470702
Dept. Computer Science Telex: ADFADM AA62030
University College ACSNET/CSNET: davidp@csadfa.oz
Aust. Defence Force Academy ARPA: davidp%csadfa.oz@uunet.uu.net
Canberra. ACT. 2600. JANET: davidp@oz.csadfa
AUSTRALIA Other Gateways: see CACM 29(10) Oct. 1986
UUCP: {uunet,hplabs,ubc-vision,nttlab,mcvax,ukc}!munnari!csadfa.oz!davidp
In theory, Larry Nathan's example of exporting classified information from a secure area should not be possible because all outgoing information from a secure area is suspect and is sanitized. However, human nature being what it is, the outgoing scrutiny is probably not done as thoroughly as it should and data can escape this way. Another approach can subvert even the best outgoing screening process. This is the use of covert channels, sometimes called "banging on the walls". The method is to use some communications channel that is not considered an "output" from the secure area. For example, the virus could cause a disk head positioner to travel its maximum excursion at its maximum velocity, then modulate the frequency of reversals according to the classified data to be transmitted. The data can be received by recording the vibrations caused by the disk drive. This method subverts most of the top secret TEMPEST secure installations that I have seen. The common risk here is that security plans generally assume that the only dangers are physical entry, TEMPEST leakage, or information leaving via the area's normal output channels. Completely ignored is the possibility of data ENTERING the area as being a security threat. I have just recently reminded our system operators about the possible dangers of a virus exploiting covert channels and the care that must be taken to ensure that our UNsecure systems are not infected, which could be a threat to our secure systems. Of course, safe software practices should be when sharing software among systems with differing classifications, even if the systems are entirely in-house. A group here at Honeywell SRC is working on the thornier problem of preventing such attacks on single multilevel secure systems (class A1+ trusted computer). Another virus subject that has been discussed, is the trustworthiness of software held in archives on the net. What should not be overlooked is that even if a given archive can be trusted, the intervening path may not be. Software can be infected en route. Many of these routes pass through universities, which can be the most hazardous software environment in the world.
> '... People here in Canada and over in Europe see this for what
> it is, a message of peace. It's you people in the United States who see
> it as something dark and nasty.' [Henry, are we really that paranoid down
> here?]
The "message of peace" business is pure self-serving excrement. (I may
possibly be biased here, since I have a low opinion of a lot of the lip
service given to "peace" nowadays.) It's no better than a cute prank.
However, I'm not too impressed by the paranoids either. (No, there is
no particular concentration of paranoids in particular nations that I'm
aware of.) This actually goes back to the old question of whether it is
better to expose security problems or keep them secret. One's attitude
on that issue determines whether one thinks the MacMag incident was a
harmless prank that may alert people to a real problem, or an evil act
that opens up horrible vistas. Personally I side with the former point
of view: this particular incident was childish but harmless — note that
the people involved hired a professional programmer, whose duties presumably
included making *sure* that it was harmless — and anyone who believes
that the Bad Guys hadn't thought of it already is dreaming.
The one risk I do see coming out of this is the possibility of it inspiring
others to implement and spread "harmless" viruses that may not be so well
built and may inadvertently cause damage. But these are still rather
less likely to make trouble than the truly malicious ones, and maybe it
will help wake people up.
Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry
> ... the inevitability of viruses that target specific software products. ... Although detecting such a virus would be difficult, once detected, recovery from the virus should not be difficult. After making a copy of the distribution software onto a hard disk or another floppy, the original program disk or tape should never see the computer again (unless the copies are damaged or lost). It is probably also a good idea for the original copy never to be put into the computer write-enabled. Once a damaged copy of a program is found, the online copies of it are deleted and replaced from a secure copy after the virus has been removed. The problem with most viruses is that their target is often the operating system. This first step, deleting the online copies is not possible because the computer won't reboot after that. That might point to a solution: The computer needs an "immune system" that can be booted from, say a read-only floppy or tape, and may then be used to safely replace any corrupted system or user files from archive copies of the software. Probably, since most executables are not supposed to modified, the immune system simply could go through each of the distribution disks and do a binary compare of each program with the archive. If a program has changed, it is replaced with a clean copy. The primary feature of an immune system is that it never executes any external non-ROM code so that it is impossible for it to be attacked by a trojan horse (assuming the ROMs can be trusted). Bill Smith wsmith@a.cs.uiuc.edu ihnp4!uiucdcs!wsmith
Carl J. Lydick's contribution to RISKS volume 6.27 demonstrates the potent power of rumors and allegations. The Chaos Computer Club's announcement that they were going to trigger their Trojan horses in the Space Physics Analysis Network further illustrates the power of rumor _backed by plausibility_. They didn't have to do anything. The sky didn't have to fall. Nervous managers did the damage for the C.C.C. because they felt the announcement/threat plausible. The prophecy was fulfilled. A similar effect occurs in response to a rumor, even when the rumor's threat is implausible or provably incorrect. In the past, I was a naval officer assigned to a submarine. When you are at sea and the nearest supermarket is hundreds of miles away, toilet paper becomes a precious commodity. The ship never left port without an adequate supply yet, if one let it `be known' that we were `running out of toilet paper,' a two month supply would be exhausted in two days!!! People would irrationally grab a roll or two and hide it. This is in spite of the fact that we (1) started with an adequate supply and (2) a submarine is small enough to verify or invalidate the rumor in less than one hour. Rumor starting and quelling were both useful skills. This behavior also appears frequently in western newspaper reports of eastern European countries. The rumor starts that there is going to be a shortage of X, there is a run (well perhaps a line) on the markets for X, X is sold out, and the prophecy is fulfilled. There are three levels of rumor - the impossible, the plausible but improbable, and the possible and likely. The first can be ignored. The second may be ignored after evaluating the risk inherent. The third requires serious investment of time and effort in evaluating the risks and then further resources to develop counter plans or contingency measures. The malicious rumor promulgated by the Chaos Computer Club was clearly of the third form. Their announcement was, in short, a form of terrorism. I don't know what level of access the C.C.C. obtained to SPAN. Perhaps the system managers' fears were well founded and their actions were reasonable reactions to the perceived threat. I do know that the specter of security (Trojan horses here) can be raised over their heads again and again until they are so weary of it that they don't respond. That would be a most debilitated condition - all `care-ed' out. To cope with the threat one hopes SPAN is in the meantime analyzing the situation for alternate responses and cleansing their systems. Frederick M. Korz, Graduate Student, Columbia University, N.Y.C, N.Y.
A very similar scenario (and the first time I ever saw viruses mentioned) occurs in the science-fiction novel "The Adolescence of P-1" by an author whose name I have forgotten. Given some suspension of disbelief (unreasonably good AI capabilities), an entertaining and thought-provoking farce about computers and security. -- Kian-Tat Lim (ktl@wagvax.caltech.edu, GEnie: K.LIM1)
Please report problems with the web pages to the maintainer