Computer underground Digest Wed Aug 4 1993 Volume 5 : Issue 58 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Coop Eitidor: Etaoin Shrdlu, Senior CONTENTS, #5.58 ( Aug 4 1993) File 1--An Apology to Joel Garreau File 2--The Complexity of Issues in the AIS BBS Affair File 3--Virus distribution Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud aql.gatech.edu (128.61.10.53) in /pub/eff/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, 4 Aug 1993 21:18:55 CDT From: Jim Thomas Subject: File 1--An Apology to Joel Garreau In CuD 5.57, we published a response to Rep. Edward J. Markey's letter criticizing AIS BBS. We indicated that Rep. Markey's staff based the letter on the Washington Post article by Joel Garreau. We also argued there, and in CuD 5.51, that the Post article raised serious questions of journalistic ethics, primarily because of the use of citations by an "anonymous" informant and by an identified informant who were the same person. Some readers apparently, and mistakenly, believed that we were implying that Joel Garreau was unethical. As author of the response, this was categorically not my intent. As I (and other critics of the Post article) have stated explicitly, Joel made a conscious effort to be balanced and to present the facts as they were presented to him. Many of us consider Joel Garreau one of the more responsible journalists covering cyber-issues, and he has consistently displayed a willingness to learn and a meticulous concern to "get the story straight." I have both personal and professional respect for Joel, and I regret any ambiguous wording that might have suggested otherwise. I apologize to Joel for any impression that his own integrity was called into question. It wasn't. To challenge what may be common practices in no way implies that the practitioner is necessarily guilty. Airing media practices is not intended to cast blame, but instead to raise issues of how images are created through the visual or ASCII symbols of a given medium. One can object to a message while simultaneously respecting the messenger. The broader issue in media coverage of cyberspace issues lies in general media formatting and how all reporters shape images. As suggested in CuD 5.51, this probably reflects a style of journalism practiced by conventional media. Some reporters, including Joel Garreau, John McMullen, John Schwartz, Joe Abernathy, John Markoff, and a few others, provide balanced and often sympathetic coverage of computer-related issues. Often, however, there is room for honest disagreement over an "angle," and choice of facts. Less-experienced reporters seem especially prone to looking for a sexy or dramatic angle that will stimulate public interest. Lack of public familiarity with computer technology and related issues requires simplification and an occasional bad metaphor. These, in turn, influence legislators (as in the Markey letter), media hyperbole, and distorted information that re-inforce the image amongst law enforcement and the public at large that pernicious dangers lurk beneath the techno-culture of BBSes and the Net. We will provide a few examples of such coverage within the next week or two. At stake in all of this is the battle over images and the power that symbols possess to stigmatize and control certain behaviors that, when occurring in "real space," are Constitutionally protected. "Bad images lead to bad law," so this is not simply a quibble over preferred images, but rather a debate and battle over which rights shall (or shall not) be extended to cyberspace. ------------------------------ Date: Mon, 2 Aug 1993 22:31:44 CDT From: Paul Melka Subject: File 2--The Complexity of Issues in the AIS BBS Affair ((MODERATORS' COMMENT: Although we have frozen the discussion of specific personalities in the AIS BBS incident, Paul Melka's response is a thoughtful and in-depth response that focuses on issues. Paul's theme is that the complexity of issues offers no easy answers. Paul Melka is a security analyst in Baltimore)). +++ (Open Letter to Paul Ferguson) Paul, You and I have talked a number of times in FIDO and I have met you before during the "first" International Computer Virus Conference sponsored by the ICSA in Washington in late 1991. I have been following with interest the developments that have occurred with the Bureau of Public Debt's Automated Information System BBS. As a Security Analyst, I feel that I need to clarify some thoughts from my perspective as a user of AIS. I will quote you as appropriate, without quoting a ton of other background information. The quotes are from your responses to Cory Tucker on June 24, to All on June 26 and Frank Tirado, through Aristotle on July 15. I have also quoted selected portions of your response to CuD 5.51 that appeared in CuD 5.52. Again, my opinions are my own, for whatever they are worth. I debated long and hard, whether to just drop this completely, but I feel that its important that people see a different perspective of AIS and what Kim was trying to accomplish. PF> Although I'm a proponent of the "free-virus-exchange-is-akin-to- PF> Typhoid-Mary" train of thought, let's examine, for a moment, both PF> sides of the argument. PF> PF> Pro Vx PF> PF> o Individuals in favor of Vx claim that they have seen no evidence PF> that virus exchange systems have contributed to the spread of viruses. Actually, I believe that Vx boards have _definitely_ aided in the spread of computer viruses, both by allowing the spread of live viruses and by providing the knowledge to create new viruses. In the case of the AIS, it provided about 32 files containing viruses, as of late April, some of which had descriptions such as "Source code for 51 viruses". Adding all these together comes out to less than 160 _total_ disassemblies. Almost two years ago, David Stang asked you during a discussion how many viruses you have and you answered over 900 viruses. I would assume that this number has more than doubled for you. The reason that I point that out, is that proportionally AIS had no live viruses and very little source code. The source code itself was provided as a sampling of virus disassemblies. The great majority of people, both Anti-Virus and Pro-Virus would consider such a collection "lame". These viruses would not be any reason for even "wannabee" virus writers to contact the board. Yes, there were other files on the board, such as the virus generators VCL and G-squared, as well as the MtE and TPE encryption engines. These may have been far more attractive to "wannabee" virus writers and _might_ have been a misjudgment on Kim's part to make these available on the requested access area of the board (no one had access to the Underground files without directly requesting it). Personally, I don't feel that it was a mistake because having access to these files alerted me both to their strengths and weaknesses. PF> o Proponents of virus exchanges claim that by making viruses and PF> disassemblies available to their users, they are providing them PF> with the tools necessary to understand how computer viruses work. PF> Similarly, once this information is understood, they also claim that PF> it contributes to the overall enhancement of the computer security PF> knowledge-base of their users. PF> I believe this to be a true statement. Yes there are risks involved, but the bottom line to me is that if you catch one new virus from this information but are able to prevent 100 attacks from the information that you gained from that same source, the information is justified. Neither you nor I are in any position to determine whether more good or bad came directly from AIS. In fact, your echo VIRUS_INFO has had the telephone numbers for various Vx boards posted in it. As moderator, you can only re-act rather than act to prevent this, and I don't believe that your echo should be shut down because it provides this type of information on a regular basis. PF> o Many advocates of Vx systems claim that attempts at stemming the flow PF> of computer viruses is an idealism that should be protected under PF> freedom of expression and freedom of information concepts. I feel that what I or you or anyone else do on our own personal computers is our own business. As you mention in a post, when that starts to impact other people, then I give up my freedom as an individual to the freedom of society to have as safe a computing environment as possible. PF> Con Vx PF> PF> o Figures reflected in statistics compiled by all of the computer PF> security and antivirus organizations show a dramatic increase in the PF> number of computer viruses in the past three years. Since Todor PF> Todorov's Virus eXchange BBS, which was the first of its kind in the PF> world, the number of "underground" systems which mimic the PF> activities of Todorov's system has risen. Sara Gordon has documented PF> quite a bit concerning the impact of these systems; I'd recommend PF> her paper(s) on the subject which she has presented on several PF> occasions. As mentioned earlier, I think that this is true and don't argue the point. But I do not accept your argument that AIS was a Vx board, just because it had a handful of virus disassemblies on it. PF> o Viruses and disassemblies which are made available on these systems PF> are a potential danger. While live viruses present a more immediate PF> threat in the wrong hands, disassemblies can be considered even more PF> of a danger in most cases because of their ability to be easily PF> modified, recompiled and redistributed as undetectable variants of PF> existing viruses. These instances have happened with increasing PF> frequency and can be directly attributed to Vx systems and virus PF> creation groups such as Phalcon/Skism, YAM, NuKe and ARCV. Yes they do represent a potential danger, just by the very nature of Vx boards encouraging each other with who has the most viruses in their libraries (even though in many cases, there are quite a number of phony "viruses" just used to get access to other files). PF> o With the availability of virus creation "kits," such as the VCL, PF> PS-MPC and the G-squared, even "wannabe" virus writers with little PF> or no skill at all can make viruses and distribute them at their PF> leisure. Agreed. Yet they also provide a valuable learning tool to people like myself who go beyond what the job requires to really attempt to learn how viruses work and how to best protect against them. PF> o While it should be realized that this type of activity cannot be PF> stopped completely, we must acknowledge the fact that Virus PF> exchange systems _do_ contribute to the spread of viruses. Virus PF> exchanges _do_ contribute to the propagation of new and undetectable PF> viruses. Access to live viruses and disassemblies are not necessary PF> for gaining knowledge and understanding how they work. A basic PF> understanding of assembler language and some practical examples, PF> including pseudo code, would suffice. There are an incredible amount of people in the security field of which you and I who are part who don't even need that much information! They will do their research and choose whatever virus protection PC Magazine recommends for this year (Central Point Anti-Virus and Norton's Anti-Virus). You mentioned in one of your posts that you have been doing virus disassemblies since they first came out. Why? Only you can answer that. In my case, I want to understand exactly how these things work. Have I succeeded? No, not by a long shot. There are too many things going on in the security field besides viruses that take up my time. I did get my company to allow me to set up both a stand-alone computer and a small LAN for virus research projects. Both these systems are in a locked room with passwords on the systems. Both these systems do not have viruses on them, except when I am specifically testing a product against live viruses. I also volunteered to assist with the International Computer Security Associates' volunteer Virus Field Researcher program. Unfortunately after only a few months the program fell apart. I don't want viruses to infect my company or computers that I am responsible for, yet at the same time, it is very important to me that I understand the inner workings of a virus as well as I can. I have had people say too many times, just illustrate it with pseudo code, yet for each of those times, I have heard three times as many people say, "I'm not going to give anyone any examples or pseudo-code, because it might give a virus writer an idea." I believe that the knowledge of viruses that I have gained has made me a better security analyst. PF> Can there be a common ground on this issue? Probably not. The computer PF> virus arena is filled with complex and diversified idealisms on the PF> subject. I consider myself a proponent of freedom of information, but PF> I also believe there are limits to one's freedom. I feel that AIS was helping to provide that common ground, just as ComSec is. I honestly do not believe that the information on AIS was of any real interest to any virus "wannabees". I think it was much more of an information exchange area for security professionals and the only benefit that the virus writers were getting out of it, was that they could say that one of their text files was posted on a Federal board. PF> ... In other words, one's right to a particular freedom PF> ends where it infringes on someone else's rights for safety or PF> privacy, in this instance. I agree with this as I said earlier. PF> And the government should certainly not PF> allow systems which participate in these type of questionable PF> activities to function within their realm of responsibility. Simply the PF> appearance of government sponsorship tends to lend some form of PF> legitimacy to the activities in question. But as you may have gathered, I strongly disagree with this statement. Can you tell me where I can legitimately get this type information except from boards such as AIS or ComSec. Personally, I would be willing to submit to whatever requirements there would be for this access. The problem is that I am not an anti-virus vendor or a full-time researcher. I am just someone who is trying his very best to understand and deal with the computer virus problem. And I feel that AIS has helped greatly with that understanding. PF> Proponents of virus exchanges remain unconvinced that making live PF> viruses, source code and disassemblies available endangers end-users. PF> I'm convinced that not all instances do cause damage, but I'm also PF> convinced that many times, it has done exactly this. I'm also convinced that _not_ all instances do cause damage, and I believe that AIS was one of those instances. PF> In the case of the AIS BBS, it was operating under the auspices, PF> whether explicitly or implied, of a Federal Office, namely the US PF> Department of Treasury. The point in all of this is not necessarily PF> what AIS did, but rather, how it was done and the apparent moral PF> "high ground" of legitimacy it portrayed by being an apparatus of PF> a United States Government office, financed (in part) with taxpayer PF> money. The point was that it was being operated as a _security BBS_ not a Vx BBS. The files that were on there were common viruses that were "ancient" in CyberSpace time. The fact that the government, or the Bureau of Public Debt was providing the service is really besides the point. Maybe the FBI or the Secret Service should have provided that service. They certainly accessed it. They were also certainly aware of it! But did either of these groups try to shut it down? No, it was shut down because of public perception in Risks forum that tax payers money might be used to sponsor a Vx board. PF> I admit that I am dismayed that people do not see the problem here. If the government was really sponsoring a Vx board, I could see your point, but again it was a board for _security_ people to gather information and to interact with hackers. PF> After this knowledge was made public, many questions surfaced, PF> including under what authority did Clancy operate a system with PF> implied blessings of the Treasury Department? I'd venture to say PF> that the Secret Service (remember Gail Thackeray?) frowned on this PF> rather heavily. If they frowned on this so heavily, then why did you have to get involved to shut it down? I'm sorry, Paul, but I don't think the pressure came from within, because those people could see the benefit of AIS. I think the pressure to shut it down came from the unreasonable, yet too often justified, fear of what the public might think. PF> I certainly claim no "moral high ground" on the issue. I took what I PF> thought was the best avenue of approach, which was to bring this topic PF> out of the shadows and into the forefront for discussion. And this was _the_ most nagging question in my mind. Why post anonymously? Your feeling have been widely known on these issues for a long time and posting anonymously really took away from that. I _do_ very much respect the fact that you took actions that you felt must be taken, but I do have to question your methods. I feel that the results would have been exactly the same if your English contact, whether it be Dr. Solomon or not, would have posted in Risks in almost exactly the same way, asking why as Americans we allow our taxpayers money to be used in this way. PF> Unfortunately, the discussion was brief and the actions behind the PF> scenes were apparently swift. Also, the assumption that Alan Solomon PF> originally forwarded the BBS capture log is pure conjecture. But still might be true! PF> In an ideal world, we all share the freedom to express our concerns PF> and ideas in an open forum. Although I may not agree with what you may PF> say, I would give my life for your right to freedom of expression. I'm not sure you understand exactly what you just said - because it really is up to each individual to protect their own rights and yes like you I would fight for those rights. PF> However, let's not confuse concepts of freedom of expression and PF> reckless computing. Again, in the case of AIS, I don't believe that reckless computing was involved at all. It was more so a matter of Kim wishing to share information that she had found beneficial to her with other people in the security field. There was no financial gain to Kim to make this information available. She could have simply kept everything that she learned to herself and none of this would have happened at all. But hasn't it been said over and over again that "Truth will set you free." I believe that. And if you just look at some of the outlandish claims by some AV packages, you have to wonder where the truth is. PF> Mr. Corey Tucker sent an "advance" copy article written by George Smith PF> (aka Urnst Kouch) which implied several items which were conjectured and PF> seemingly allusions. I posted a prior response, but additionally, I'd PF> like to post an article also written by Kouch which outlines Clancy in PF> the CRYPT newsletter #13, in which more altruistic mentalities are PF> discussed. I believe this is valid; it reflects the entirety in which PF> this whole fiasco existed. PF> PF> Additionally, I am also posting the Washington Post article, in its PF> entirety, for information purposes. PF> PF> If the truth be known, Mr. Smith did the most damage to Kim Clancy's PF> underground organization (and BBS) than anyone who may have followed, by PF> the publication of this very article. Certainly the fact that AIS was mentioned in both CuD and the Crypt newsletter may not have been in the best interest of the AIS, especially in the eyes of the general public. Both these underground magazines, although in some cases talking about how the Federal government had virus disassemblies available, were really focusing on the fact that this information was being provided to improve security, to aid in virus protection and prevention and to promote an exchange of ideas with both "hackers" and security professionals. PF> No need to call this number, it ain't there anymore. Not only did Mr. PF> Smith (Kouch) nail Clancy's coffin, he enabled others to do so on his PF> behalf. Actually as you mentioned in a later post, you accomplished exactly what you wanted to - you shut down the underground files on AIS. PF> Mr. Thomas (and readers of CuD), PF> PF> While my first instinct was to not post any response to your PF> scathing series of highly volatile articles (albeit, on a highly PF> volatile subject, Cud 5.51), I reconsidered after a colleague PF> reminded me that, unfortunately, silence on my part may be PF> misinterpreted as some form of admission of guilt. I do regret PF> that this instance has created such a stir, but I do not apologize PF> for the attention brought upon the AIS system which ultimately PF> resulted in the removal of commented virus disassemblies from PF> public access. If the only thing that was lost were the virus disassemblies, the loss would have had little or no impact on anyone. Most of the information that I gleaned from AIS was in the various underground and aboveground electronic magazines, such as CuD that will no longer be available on the board. Also the "hacker files" on Unix and Novell security were very useful to me to give me a focus on potential problems. PF> Without launching into a dissertation about the harm caused by PF> virus code (both compiled executables and reverse-engineered PF> disassemblies), I would like to make a couple of points which are PF> commonly taken for granted or disregarded altogether. PF> PF> The debate will obviously continue on virus eXchange systems, PF> which name they have been given due to the availability of virus PF> disassemblies, creation tools and the likes. (All of which were PF> available on AIS.) I get the distinct impression that we have not PF> heard the last on this topic. Far from it, I'd wager. If AIS were actively trading in viruses I would consider it a Vx, but because it has some "sample" disassemblies on it, I would hardly call it a Vx board. More current were the various underground magazines which had both virus disassemblies in them as well as debug scripts. Yet, in my opinion, these magazines were the most informative to me in understanding how computer viruses work. Since these magazines were so readily available, signature strings were almost immediately incorporated into the latest virus scanning software. PF> On one hand, we have those who argue that virus exchange (Vx) BBSs PF> do not further the spread of viruses and efforts to curtail their PF> activities are akin to stifling freedom of expression and the flow PF> of information. On the other hand, we have those who argue that Vx PF> BBSs most certainly aid in the spread of computer viruses simply PF> because they allow live computer viruses, source code and PF> disassemblies to be freely exchanged as would youngsters trade PF> baseball cards. PF> PF> However, baseball cards do not inflict damage, but many times PF> viruses do exactly this, in the hands of an unwitting or PF> inexperienced computer user. Many things that someone might collect are potentially harmful, the point is what is done with them. Vx BBSs have both their good and bad sides and I don't think that anyone would argue that having full download privileges on the first call to a Vx board is curtailing the spread of viruses. (Well, maybe _someone_ might!) PF> To briefly address some selected points made in Cud 5.51: PF> PF> Jim Thomas writes (in File 1 -- Introduction to the AIS BBS PF> Controversy) - PF> PF> "Perhaps the anonymous accusers are correct: Some types of PF> information may pose a risk if abused. But, in an open democracy, PF> the potential for abuse has been neither a necessary nor a PF> sufficient justification to silence those with whom we disagree." PF> PF> I am flattered that you suggest I actually have enough clout to PF> personally silence AIS, if that is the gist. I took the liberty PF> of making it public knowledge, while concurrently voicing _my_ PF> opinion about its merits. This street goes both ways. Most of us PF> are painfully aware of the numerous virus underground systems PF> around the world, yet the attention is focused on a solitary PF> system run by an employee of the U.S. Treasury Department. Why is PF> that? I suggest that most who squeak the loudest in opposition PF> to my anonymous (hardly) posting are either a.) not familiar with PF> the amount of damage, in both manhours and dollars, caused by PF> computer viruses each year, b.) overly radical proponents of PF> information exchange who care not what damage may result in said PF> exchange, or c.) banging their drum just to bang their drum. PF> PF> (Please note the use of the word "most" in the statement above.) Thanks for giving me the "most" option, because I honestly do not feel that I fit into category A, B or C. Throughout this letter I hope that I have adequately expressed my feelings that AIS provided a positive impact in the fight against computer viruses. I am very well aware of the damage viruses can cause in both hard and soft dollars, I do not believe that all information should be free - certainly there are very individual things such as credit history, medical history, etc. that are becoming far more free than I would care for. And I hope that no one feels that I am just banging my drum, just to hear the hollow sound it makes. I am trying to honestly express my personal opinion to give all of us the chance to stretch and grow. PF> Jim Thomas again writes (in File 6 -- Media, Anti-virus PF> personnel, Ethics, and AIS) - PF> PF> "Let's keep some facts straight. 'Mr. Smith (Kouch)' did *not* PF> 'nail Clancy's coffin.' Paul Ferguson and his friends did with PF> anonymous inflammatory posts and with other posts that PF> irresponsibly suggest illegal and 'underground' activity." PF> PF> I'll address this directly, since it is obviously your opinion, PF> not fact, as you seem to imply. In fact, I think you should have PF> used "opinionated" instead of "inflammatory," but that is your PF> prerogative. I find it odd that after so much "underground" PF> exposure as was afforded AIS in the months preceding my PF> "anonymous" post, not an eyebrow was raised. Perhaps Kouch's Paul, again I'm not sure where you are coming from. In one breath you say that your actions were not responsible for AIS losing its underground files, yet on the other hand you mention that no other response was made to the various underground articles about AIS (as well as aboveground articles in newspapers such as LAN Times). Your anonymous post was almost directly responsible for the current state of AIS and since that is exactly what you wanted to accomplish, why not just accept that? PF> publication is truly "underground" catering specifically to PF> hush-hush underground circles of computer vandals? I don't PF> think so. Perhaps Cud is truly an "underground" publication? PF> I think not. So where's the beef? PF> PF> One "anonymous" post, strategically placed razed the house of PF> cards. PF> PF> Mr. Thomas makes one excellent point, however, in the midst of PF> the remaining text - PF> PF> "It's said that some people, angered at this affair, are planning PF> to retaliate against those judged responsible. This would be an PF> ethically bankrupt response." PF> PF> At least we can agree on this point. I agree as well. What is done is done. And even if you went to the Bureau of Public Debt yourself, they would not allow the underground files to be posted again on their board. Only time will tell whether your actions were positive, as you believe, or negative. PF> One final note, for what its worth. I did not post the forwarded PF> article to damage Clancy's reputation or to prove any particular PF> political point. Personally, I have nothing to gain by the PF> results. I do not foolishly sally forth and and do someone else's PF> bidding in hopes of gaining favor. I do not publish software PF> which would be directly or indirectly beneficial to myself, PF> especially anti-virus software (I have done extensive work in PF> assembly and have reversed-engineered viruses since their PF> appearance, however). I posted the article because I believe PF> it is a conflict of interest for any governmental agent to PF> openly make viruses and disassemblies available, regardless of PF> intent. I realize that you were acting in what you felt were everyone's best interest, but I also feel that there is nothing wrong with our government making information available to help protect our computer systems - and I believe that is what AIS was doing. You can learn how to make a nuclear bomb by going to the library, but you need the intelligence and materials to actually build one. PF>If only one instance of damage resulted directly from the PF> virus-related material available from AIS, then that is one too PF> many and I would happily rest my case. Yet, what if the knowledge shared by AIS enabled more and more people, like myself or Frank Tirado, to better educate our users and to give them the knowledge of what to do if they discover a virus. I have seen more damage caused by user ignorance (meaning lack of knowledge), than most actual viruses once they are detected. Did you ever have a client who thought they might have a virus but didn't want to bother you, because they might be wrong. Those are the people that we need to educate - in virus protection, prevention and recovery. It is not a safe computing world out there and all of us need to do whatever we can to make it safer. PF> What happened to the hacker ethic? I seem to recall a "no damage PF> clause" which still echoes in my mind, especially with the advent PF> of this fiasco. "Damage?" "Damage," you say, "What Damage?" "AIS PF> only made it available -- they're not responsible for what is PF> done with it!" In my personal opinion, I would be very surprised if there is any damage that could be traced either directly or indirectly to AIS. But I would think that there are a lot of people that can directly trace a great deal of benefit from it. Again that is only my opinion and neither you nor I can really prove otherwise at this time. PF> Now that I think about about it again, I'm really "not sorry." I didn't think that you were and that's why I've taken the time to write these responses. I felt that even though you may not agree with everything that I have said, I still had to express those feelings. PF> PF> An Open Letter to Mr. Frank Tirado PF> PF> In order to adequately address your concerns, accusations and PF> opinions, I have also included quotations from your last message, PF> preceded by angled brackets (">"), as is customary with most PF> netspeak. PF> PF> > Message from Paul Ferguson to Cory Tucker: PF> PF> > "....I find your posts rather humorous, yet at the same time PF> > offensive. If Mr. Tirado wishes to confront the issue himself, PF> > I'd suggest he do so. His absence here in Fidonet or Usenet PF> > somehow diminishes his credibility. In the meantime, please PF> > refrain from posting such drivel....." Paul, most of your posts appear to be very well thought out, but whether someone is on the FidoNet or UseNet, really should not diminish his credibility. PF> I'd like to specifically address each of your points and present PF> contrary opinion. PF> PF>FT> o Closing down the AIS board eliminated a major avenue for PF>FT> the propagation of viruses........ Oops! My imagination PF>FT> ran wild for a moment. You and I both know that not the PF>FT> slightest dent has been made in the flow of information PF>FT> which you and your cohorts find so objectionable. PF> PF> I apologize, Mr. Tirado -- I do not know that and frankly, nor PF> do you. This statement is purely conjecture and you could not PF> know possibly otherwise. Your sarcasm is evident. However, I PF> disagree implicitly. As I stated in my response (which I have PF> submitted to Jim Thomas for inclusion into Cud 5.12) to CuD, PF> if even one incident of modified virus propagation resulted PF> from the availability of viruses on AIS, then my action was PF> warranted, in my own opinion. However, it is obviously a PF> rhetorical point because once the files were obtained, no one PF> can gauge the possible damage which may have resulted in these PF> instances. The point being that no one can know either the beneficial or negative impacts that the virus disassemblies on AIS (not viruses) have had on all of us. I personally believe that if there was any negative impact, it was outweighed by the knowledge gained and shared by those thousand plus users of the board. But that is really just my own opinion. PF>FT> o Now the virus boards cannot point at the AIS board and PF>FT> say: "If they're doing it, why can't we?" I'll grant PF>FT> you this one, but I really can't see virus boards using PF>FT> this defense very successfully, should it ever come to PF>FT> that. PF> PF> Then you obviously have not been observing the activities of PF> underground vX (virus exchange) systems since their inception. I PF> have, and I have watched trends develop. For example, the major PF> Vx systems have been (and still are) run by members of virus PF> creationist groups such as Phalcon/Skism, Nuke and Trident. PF> These groups are directly responsible for escalating the sheer PF> number of viruses by creating new, undetectable variants of PF> existing viruses and creating virus creation tools. This is PF> unacceptable, yet you seem to condone this behavior... PF> Paul, are you saying that you are a frequent visitor to Vx boards? Personally, I don't have any problem with that at all, because I believe that any interest you would have in the Vx boards would be used to increase your knowledge of viruses and their functions and to improve security for all your clients, and others through your posts on Virus_Info. I am not saying this sarcastically at all. We should all be willing to learn from many sources, not just those that are deemed "appropriate". I don't think anyone can deny the impact groups such as Phalcon/Skism, Nuke and Trident have had on the virus world. PF> > o Those individuals who could "legally" (there was nothing PF> > illegal about any information obtainable through the AIS PF> > board) obtain useful and pertinent information from the PF> > underground will now probably gravitate towards hacker or PF> > virus boards. You think not? Let's wait and see..... PF> PF> "Nothing illegal?" At least not yet, obviously. Unethical? That PF> is subjective opinion. (I consider it unethical, but as I stated PF> above, this is purely subjective.) We shall "wait and see," as PF> you've suggested, however, do not expect us to simply dawdle PF> idly while these activities are being conducted in real-time. PF> Legislation will be introduced in the coming congressional PF> session which would outlaw these activities. (Refer to PF> Computerworld article, "Virus vagaries foil feds," July 12, PF> volume 27, issue 28 for further information.) PF> PF> > Your statement that my "absence here in Fidonet or Usenet PF> > somehow diminishes (my) credibility" is ludicrous. In other PF> > words, I'm outside of your control so my opinions don't count. PF> PF> On the contrary, Frank. Your opinions are equally as important PF> as anyone else. By my statement above (hopefully you can gauge PF> the sentiment), I simply do not indulge myself to be duped into PF> responding to 2nd party posts in FidoNet -- it is too easy to PF> forge. While Fido is near and dear to my heart, there are PF> certain aspects about Fido messaging which are rather dubious. PF> Your message, while intelligent and forthright, was presented by PF> a second party; in this instance, I had my doubts as to its PF> authenticity. A reasonable precaution, since there have been numerous posts from various people pretending to be other people. It was actually refreshing to see you treat this post as a valid post by Frank Tirado. PF> This is perhaps the most offensive of your statements. I am told PF> that you are a systems security analyst with the Department of PF> Agriculture. I do not recall seeing you at any computer security PF> conferences, nor recall your participation in any antivirus PF> parlances. Do you have some hidden expertise in the antivirus PF> arena, or are you simply spouting opinionated idealisms? Actually, Paul, I'm not sure what conferences Frank attended has to do with anything. As I started out with, I met you in November of 1991 in D.C. (don't worry that you don't remember me) and was going to be a guest speaker at the cancelled conference in November of 1992 with the ICSA's volunteer field research program. I was also at the NCSA conference in DC (IVYP '92), LAN SEC '93 and dropped in on InfoExpo '93. Unfortunately budgets are tight and I can't get to anywhere near the number of conferences that I would like to get to. I did meet Frank for the first time in person at LAN SEC and saw him again at InfoExpo, so I can at least say he was at these conferences. But the point is, I don't understand what _your_ point was. There are only a handful of recognized "experts" in the field and unless you are willing to devote a lot of time to the process, it will likely stay that way in the foreseeable future. People like myself, don't need to be an expert on every little aspect of computer viruses. We don't make our living dissecting the viruses and creating scan strings for them. But what we need to be able to do though, is to be able to talk intelligently about viruses and how they work. We need to be able to provide a positive service to the companies we work with and to people we meet. Virus_Info has helped provide some of this information, so did AIS. There are a great many security professionals out there that are just trying to do the best job that we can, and unfortunately product vendors are often not the best resource for information. You have to weigh the information from a number of sources, both good and bad, then make the most informed opinion that you can. If you only look at one side of the coin, you will be cheating yourself and your customers. PF> Mr. Tirado, what I may think has nothing to do with your PF> opinions, nor anyone else's for that matter. I have watched as PF> virus exchange systems have become the rave, and have absolutely PF> contributed to the spread and distribution of viruses, both PF> known and contrived. In the matter of AIS, I was outraged that a PF> government sponsorship was participating in these same PF> activities as other virus eXchange systems. If you were outraged, you were right to express those emotions. As I have mentioned many times, I do not feel that AIS could be dumped into the category of Vx boards. It was a board to provide security related information. PF> > I don't think so. I find it next to impossible to implicitly PF> > accept the word of a group whose bottom line is the almighty PF> > dollar. Besides, as a self-regulating group you guys can't even PF> > police themselves. I obtained my first 20 viruses from a vendor at PF> > the same conference where Peter Tippett first proposed not sharing PF> > viruses. The implications should be "crystal clear", considering PF> > the plethora live viruses and source code floating around with the PF> > imprimatur of the major AV software developers. PF> PF> I admit that the antivirus crowd has its share of prima donas PF> and is shadowed by the profit modus operandi. I am in no way PF> part of the group, either explicitly or implied. You obviously PF> do not know me. I think that there are a lot of people that really don't know you! I still can't get over the time you posted that you were looking for a new moderator for Virus_Info. It put a human side onto you that few people see electronically. I do honestly respect your opinions, even though I may not agree with all of them. Most of the stuff that I deleted out of here, I left out because either I agreed with what you were saying or had very little objection to it. PF> As a final note, I respect your opinions, if that is of any PF> consequence. I have been a member of the cyberspace community PF> since the late seventies and I have witnessed many, many PF> changes in the culture of the nets. The one thing that truly PF> upsets me, however, is the reckless abandon with which computer PF> viruses are made available to anyone with a modem. See above. And yes sometimes it is very upsetting how easy computer viruses are made available to anyone with a modem. But it is just as upsetting to see all these claims made by vendors that you will never need another scanner or any other product. There is as much in-fighting among the AV people as there is among the virus writing groups. PF> I have spent countless hours and dollars cleaning up computer PF> viruses from countless workstations and LANs. The financial loss PF> on the part of these companies is mind-boggling. While you decry PF> the freedom of folks to freely exchange potentially damaging PF> "information," at least keep this in mind. PF> PF> To quote you in CRYPT #16, PF> PF> "Too my mind, the AIS BBS was one of the best applications PF> of my taxpayer dollars," said the USDA's Tirado angrily PF> during an interview for this story. "The spineless curs!" PF> PF> PF> My actions were neither spineless nor uncalculated. I have done PF> what I intended to do. Private virus distribution systems are PF> next on the agenda... Obviously, I had no problem with my taxpayers dollars being used to help support AIS! And I have also spent far too many hours and dollars cleaning up viruses from workstations and LANs. I think there are a lot of people in the security field, who would like to see it all just end. But the thing that keeps sitting in the back of my mind is that you said you would be willing to die for my freedom of expression! I don't want you to die, but what I also don't want to lose is the right of a person to code a virus on his or her computer! There have been laws passed against alcohol and laws passed against pornography and many, many other laws. And I _now_ believe that there will be some kinds of laws passed against computer viruses, but I hope that these laws are laws of responsibility for actions, not laws for what each person does with their computer. I understand that deliberately infecting another individual with a virus is against the law and maybe in the future the posting of computer viruses on _any_ type of BBS might be regulated with various controls, but as I overheard Dr. Solomon say once, "As an Englishman, I am constantly amazing how willing Americans are to give up freedoms that they fought so hard for just two hundred years ago." I don't know if that was the exact quote, but that was very close to it. I hope that we are not once again giving up another freedom because of fear. ------------------------------ Date: Thu, 22 Jul 1993 09:41:25 -0400 (EDT) From: "Paul R. Coen" Subject: File 3--Virus distribution Someone recently implied that distributing virus code may soon be illegal in the United States. "This is a difficult issue." I keep hearing that. No, it isn't -- not in the United States, at least. Sure, *maybe* laws can be passed to prevent distribution of virus source code via a BBS. I'd love to see someone try to pass a law preventing a printed publication distributing source code. Since the virus code itself, on a page, is not harmful, you really can't make a case for banning it. Especially since a good case could be made against such a law being an exercise in "prior restraint." Not harmful? No. Not sitting on a page. Or even in a text file on a computer. It hasn't been turned into anything harmful. It isn't a direct threat. The threat comes from the fact that it is information that could be used to make something harmful. There's an awful lot of information out there that falls into that category. Who really uses source code? There aren't that many virus writers out there, and source code has been around for a while. I would guess that much of it is aquired by the curious -- people who have heard about viruses, want to see what it looks like, etc. They'll probably never write their own. They may never even assemble the ones they get. Who else gets it? Technical staff who need to know what a virus does in order to figure out what level of panic they need to instill in their users over a particular outbreak. In other words, you can't assess a threat unless you know what a virus does. In that case, you have a few choices -- find good, accurate information on what the virus does (difficult), disassemble it yourself (tedious and time consuming), or find a cleaned-up disassembly somewhere. I'd prefer the latter. I've had to do the second more than once. "Oh, but you don't *really* need to know. Just remove it!" Bull***t. Making your users freak out over Stoned to the same degree that you would want to panic them if they had something that was deliberately nasty on their drives is just not what you want to do. A sense of proportion is required here, and that is what is so often lacking in discussions about computer viruses. Your users want to know what the threat is, and unless you either a) lie and always say it is destructive or b) shrug and say "I don't know," you need the information. Who else gets it? Not too many of the virus writers. They usually have it already. They have channels to sources for information like this. A lot of IS people don't -- and don't want to have to waste their time making the needed connections, either. This reminds me of Rep. Markey (is that the right spelling? I can never remember) going off about _2600_ at the hearings. He didn't seem to realize that a) _2600_ is pretty innocuous and b) a lot of the subscribers are computer professionals who would like to know what is going on so that they can protect themselves. Vendors never give you details, that's for damn sure. Where am I coming from on this? I was one of the people who dealt with the first virus outbreak at Drew University, about 4 years ago. Since then, I've managed to convince the school to site license anti-virus software. I've also had to deal with a lot more viruses. And I've wasted a lot of time. A good amount of that time, though, would have been saved if there was detailed, accurate information on viruses available, or if I could just get an already-done and commented disassembly. Not for something like stoned, but every once in a while we get something kind of goofy that anti-virus software can't deal with. I want to know what it is, where it copies the original boot sector to on the drive, if it has a payload, what's the trigger, etc. I've never written a virus. Could I? Yes. Will I? Probably not. I don't have the desire or the time. Stop trying to dictate what kinds of information are "good" and what is "bad" in an area like this. Unless this violates privacy (and I would make exceptions for people whistleblowing on corporations or criminal activities), I don't really have an ethical problem with it. The information is there, and it is far more useful to try to teach people to be responsible than it is to try to track down everything that an irresponsible person could do damage with. You don't teach ethics by declaring some piece of knowledge taboo and trying to stamp it out of existence. ------------------------------ End of Computer Underground Digest #5.58