HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / CRYPT14.ZIP / CRPTLT.R14 < prev next >

Wrap

Text File | 1993-04-05 | 62.6 KB | 1,158 lines

▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄ ▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ █▒▒█ █▒▒▒▒▒▒▒█ █▒▒█ █▒▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒▒▒█ █▒▒▒▒▒▒█ █▒▒▒▒█ █▒▒█ ▀▀▀▀▀▀▀▀ █▒▒█ ▀▀▀▀█▒▒█ █▒▒█ █▒▒█ █▒▒█ ▀▀▀█▒▒█ ▀▀▀█▒▒█ ▀▀▀▀▀ █▒▒█ █▒▒█ ▄▄▄▄█▒▒█ █▒▒█ █▒▒█ █▒▒█ ▄▄▄█▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒▒▒▒█ ▀▀ █▒▒█ █▒▒█ █▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ ▀▀▀▀█▒▒█ █▒▒█ █▒▒█ ▀▀▀▀▀ █▒▒█ █▒▒█ ▄▄▄▄▄▄▄▄ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒▒▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█ ▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀ ▀▀ ▀▀ ▀▀▀ ▀▀ NEWSLETTER NUMBER 14 **************************************************************** EDITED BY URNST KOUCH, March - April 1993 CRYPT INFOSYSTEMS BBS - 215.868.1823 INTERNET: 70743.1711@compuserve.com or CSERVE: 70743,1711 **************************************************************** TOP QUOTE: "I BM, you BM, no more BM for IBM." --slight mutilation of doggerel found in David Gerrold's "When H.A.R.L.I.E. Was One" IN THIS ISSUE: News . . . more on "Approaching Zero" . . . comment on Mark Ludwig's Virus-Writing Contest from Bontchev and others . . . Virus complexity: biological v. computer . . . RashPutin' speaks . . . TOTORO DRAGON source code . . . fly-on-the-wall at March IEEE Security Conference in NYC . . . The PC CARBUNCLE virus . . . FICTUAL FACT/FACTUAL FICTION . . . miscellany. *************************************************************** Starting on a stupid note: "The Flintstones" and "The Jetsons" AREN'T educational programs anymore, declared a New York Times front page story on March 4. In its usual dead serious tone, the newspaper informed readers in 20 worthless column inches that the FCC had come to this landmark decision. Further, it reported that "lobbyists for the broadcasting industry were [not] pleased, however." The reason we mention it is that the typical Crypt Newsletter reader despises this type of information, which social critic Paul Fussell terms "BAD." "BAD" is that sub-intelligent quality defined by any society, in this case America, that requires a large, doltish bureaucracy to tell it "facts" that even the average house pet knows. The Crypt Newsletter is all about exposing "BAD." In another equally "BAD" NY Times computer piece the same month, reporter John Markoff [co-author of "Cyberpunk"] wasted almost a full page talking to jet-setting pals about the technical shortcomings of the Apple Powerbook laptop computer. "You're flying across the country," one of Markoff's confidants moans, "and you inevitably find your Powerbook goes dead somewhere over Ohio." Bummer. Power users, adds the confidant, cluster near the toilet because that's where power outlets are on airplanes. "I won't do real work on the batteries," chirped "Artificial Life" author Steven Levy. This from a man who once wrote in a piece of "real work," "A rock would certainly be low on any continuum of aliveness." Markoff wrapped up the article with a finely crafted mixed metaphor, which we assume is considered skillful prose at the Times. "To Apple's credit, it takes . . . complaints seriously and whittles away at the list of nits with each new model." CHINESE NOMENKLATURA PIRATE PIRACY STUDY: Not to be outdone by the Americans in this week's "BAD" sweepstakes, the Chinese have finally perfected plagiarism and theft of intellectual property as a national sport. The Reuters wire service said in March that the Beijing People's Court fined two government employed editors and the China Procuratorial Publishing Company for word-for-word theft of the work of researcher Zheng Chengsi on copyright piracy. The Guangming Daily said the editors lifted whole sections of the studies Zheng wrote for the Chinese Academy of Social Sciences on software protection and intellectual property. Reuters added, "Chinese authorities, eager to gain re-entry to the General Agreement on Tariffs and Trade, have promised to uphold copyright and trademark protection." No truth to the rumor that the Chinese Software Engineering Institute has adopted "Copy that floppy!" as its new motto. ------------------------------------------------------------------ FOLLOW-UP COMMENT ON MARK LUDWIG'S FIRST INTERNATIONAL VIRUS- WRITING CONTEST [Originally published in entirety in Computer underground Digest 5.21] ------------------------------------------------------------------- From: bontchev@INFORMATIK.UNI-HAMBURG.DE(Vesselin Bontchev) Subject: comments on proposed virus writing contest (Bontchev) Mark Ludwig's virus writing contest is yet another attempt to incite the creation of computer viruses that hides behind seemingly legitimate reasons. Just like his book and newsletter, which hide behind the right of the US citizens of freedom of expression, the "legitimate" reasons of the contest fall apart, if you look carefully at them. Let's consider some questions which naturally arise when reading a proposal like that. What are the values/dangers of such contests? In the beginning of the proposal, the author boasts that he needs the virus for the second volume of his book, which will discuss "the scientific applications of computer viruses, and their use in artificial life research". However, actually the contest it for writing the shortest possible non-overwriting MS-DOS COM file infector. What does this have in common with artificial life? What are the scientific applications of such a silly (but small) virus? And what does all this have to do with "research" in general? Actually, it is nothing more than a contest to hack the smallest program that performs given actions - nothing more. In fact, the author even addresses the potential participants of the contest as "hackers", not as researchers or scientists. And indeed, the goal of the contest has nothing to do with scientific research. The result of this contest is easily predictable. A few hundreds of kids will write hundreds of smart, not so smart, and completely buggy viruses. One of them will win the $100 prize. The others will have to decide what to do with the viruses in their disposition that have not won the contest. In all probability, they will upload them to the nearest virus exchange BBS, where other irresponsible people will be able to download and spread them further. "K00l dudez, I've got one of the participants in Mark Ludwig's contest for you"... The winner of the contest will have his name, or more probably, his handle, mentioned in the book, which will stimulate his ego and incite hundreds of others to imitate him and to create more viruses. Of course, all those viruses will end up in the hands of the anti-virus researchers, who will have to update their scanners to be able to recognize them, just in case some of them accidentally "escapes". And, since most of those researchers don't work for free, the users of their anti-virus programs will have to pay for yet another update. Who wins of all that? Mr. Mark Ludwig sells a new volume of his book, a few irresponsible kids get their ego teased, a few anti-virus researchers spend a few nights to disassemble silly viruses, and all of you have to pay - pay for updates of your scanners, pay for the data and time lost in an outbreak of a silly and buggy virus, and so on. Indeed, what a service does Mr. Mark Ludwig to the society! In fact, the outcome of the first volume of his book already proves that the above reasoning is correct. There are already at least 7 different variants of the silly Timid virus, published in the book... How do we distinguish between "benign" and "malevolent" virus writers? Some people like to speak about the possibility to develop "benign" and even "beneficial" viruses and about how much this kind of research will make our life easier. In fact, all that began with Dr. Fred Cohen and his papers on the subject. Dr. Cohen means something very particular, something that most people will never call a virus. Unfortunately, in his papers he tends to use formulae, instead of easily understandable language, so it is no wonder that many people are misunderstanding him. I cannot decide whether Mr. Mark Ludwig has indeed misunderstood Dr. Cohen's ideas, or if he intentionally misuses the general misunderstanding of the subject, in order to masquerade his virus writing contest as something legitimate. However, fact is, that what he proposes has nothing to do with Dr. Cohen's ideas for beneficial viruses, will have absolutely no positive value, and will rise yet another wave of stupid viruses written across the world. Actually, there is no such thing as "benign" or even "non-destructive" virus, as Mr. Mark Ludwig seems to understand it. The virus that is proposed in his contest will infect real, executable programs. The author of the virus has absolutely no way to know how will his virus behave in some situations. In fact, it may turn to be even highly destructive in some of these situations. Just an example. One of the first versions of Microsoft Word (1.0, I think) used to checksum itself, and, if the checksum didn't match, displayed a message on the screen (something like "The tree of evil has bitter fruits; crime does not pay") and trashes the current disk. Obviously, if it becomes infected with the virus described in the contest, this destructive code will trigger - with sad consequences. Several other self-checking programs will not react that violently, but will simply refuse to run when infected. Thus, the virus will be guilty for denial of services - maybe lost time, money, business... Even worse, the virus author is not able to predict the future, so he has no way to know how his virus will behave in situations that simply don't exist yet. Maybe it will turn out to be highly destructive - recall what the "benign" Stoned virus does with high-capacity floppies that have been simply not available at the time it has been written... Is there any educational value in those contests? Mr. Mark Ludwig claims to write his book for educational reasons. But what does actually he teach his readers? How to write viruses? Even if we leave alone the doubtful value of this knowledge, there are already a few books and many more electronic articles, circulating in the underground, that teach exactly that. Maybe he wants to teach his readers to write good assembly language programs? But, at least his first book, does not discuss the good programming practices at all, and in fact contains many samples of sloppy and clumsy code. So, maybe he wants to teach his readers about the top technology employed by viruses to bypass the different security systems? Even this is not true - he does not address such modern concepts as armouring, polymorphism, slow viruses, fast infectors, multi-partite viruses, or even fully stealth file infectors... For instance, nowhere in the book there is a discussion of the different kinds of attacks that can be employed by viral programs to circumvent discretional access controls, integrity-based systems, and so on. All we see is a bunch of silly MS-DOS viruses that barely work. This rises yet another question - are the virus writers able to teach the security specialists to something that the latter don't know already? Many virus writers sincerely believe that; for instance Mark Washburn has written his V2Px series of viruses, in order to "prove" that scanning is unreliable virus defense. However, it turns out that in all cases the security specialists are aware of the problems since a long time. Even the concept of a computer virus and the difficulties connected with its detection and prevention have been first invented by a security specialist - Dr. Fred Cohen, not by John Random Virus Writer... In all cases when the virus writers have come up with something new and original, the security specialists have thought about it since a long time, but have been ethical enough to only discuss it in closed circles, instead of implementing it and releasing it to damage other people's data... At last, one could ask the question whether Mr. Ludwig's contest is legal. In the text he boasts it as an "international" contest. However, this demonstrates an amazing ignorance of the local law in some countries. Participating the contest and writing viruses for it may be illegal in some countries, as the recent arrests of the ARCV virus writing group in the UK have proven. Freedom of expression is a wonderful right, but Mr. Ludwig should be aware that the US constitution does not apply to the whole Universe and thus, some things allowed by it might be illegal in some other countries. Therefore, anybody who decides to participate Mr. Ludwig's contest, is strongly advised to consult a local lawyer. Of course, it would be much better to ponder a bit how unethical the whole thing is and to refuse to participate the contest at all... But maybe Mr. Ludwig is not that ignorant, after all. The text of the contest encourages the participants to use handles and other forms of anonymity. Maybe this is because Mr. Ludwig understands that those people might be held legally responsible in some countries for such activities? In this case, his contest is nothing more than an incitement to commit a crime (in those countries where virus writing is considered illegal). I wonder whether some of them have extradition treaties with the USA... ------------------------------ From: Urnst_Kouch <70743.1711@COMPUSERVE.COM> Subject: virus-writing contest What is the danger of Mark Ludwig's international virus-writing contest? Well, according to contest rules, the winning virus code is destined for publication in the second installment of "The Little Black Book" series. "Oh, terrible, terrible!," wail anti-virus software developers throughout the land. "More virus code in the hands of anyone who wants it! These miscreants and electronic sociopaths are already making computing untrustworthy enough!" Bunk. Publishing any or all of the code collected in Mark Ludwig's contest won't make any difference. Why? Because there already exists more well-commented virus source code in general circulation than any one person has time to analyze. Taxpayers can download it by the megabyte from the Bureau of Public Dept.'s bulletin board system 24 hours-a-day, no strings attached. Or if you feel the need to be more "elyte," more "politically correct," it can be had from the favorite whipping boy of the anti-virus community - shhshhh - your friendly, neighborhood virus exchange sysop. Beating on Mark Ludwig for his virus-writing contest, then, strikes me as stupid. It's hypocritical, too, because as some involved in virus research know, a great many of the working samples of viruses found on virus exchange BBS's come attached to "sacrificial goat" files bearing the trademark of a number of anti-virus vendors. You can find extremely detailed virus disassemblies on virus exchanges, too. Not so surprisingly, some of these are composed by the same anti-virus researchers who whine in electronic publications like Virus-L Digest about the unrestricted flow of viruses and their source code. So if the virus-writing contest is dangerous because it subverts the control of "sensitive" information, the anti-virus community lost that battle a while ago, soundly beaten by a large number from its own rank. Next, do security specialists have something to learn from virus programmers or sponsors of virus-writing contests? Yes, indeed. For example, about a year ago I wrote a couple of stories on the Michelangelo phenomenon for a daily newspaper. In the course of my research I tried to dig up a few books to recommend to sophisticated readers. Mark Ludwig's "Little Black Book" was the only one I could find that wasn't either horribly wooden or written for someone with the attention span of a very small child. I endorsed it in the pages of a daily newspaper. The sky did not fall. The region's computers weren't besieged by a horde of Ludwig viruses. In addition, a number of computer security workers within different arms of the U.S. government already consult virus programmers on various security problems. When I asked one of them why, he replied that he didn't want to be backed into relying on the anti-virus community for advice, advice he saw as too self-serving. That leaves the question of how to distinguish between "benign" and "malevolent" virus programmers. Hmmmmm. That's a tough one, because the picture's more complex than that. Unless you buy the idea that virus programmers either write disk-corruptors set to go off with a bang on weird holidays or make them for courses like Patrick Toulme's "Virus 101," you're stuck coming up with an answer. You might decide to go with the popular stereotypes of young men with too much pent up hostility or unemployed programmers from politically and economically uncool locales like Russia, Bulgaria and China. But that dog won't hunt if you think of Fred Cohen. Or you can try to describe them as "groups" like NuKe, TridenT or Phalcon/SKISM. And THAT leaves out a great many loners who collect viruses like stamps and occasionally need to come up with a fresh one as barter for that new, rare "tunnelling, polymorphic full stealth" beauty from Outer Slobovia. These guys could care less whether any virus they have gets into the wild. In fact, they probably would like to see less of that - keeps the collection more unique, more "valuable," you see. Clearly none of these are an answer. So try asking a better question. ------------------------------ From: kim clancy <71011.2056@COMPUSERVE.COM> Subject: Comments on the Virus Writing Contest Comments on the first international virus writing contest by Kim Clancy My comments on the 1st International Virus Writing Contest is that I don't care about the first international virus writing contest. I don't care if someone sits in the privacy of their home and develops a computer program to destroy every type of computer on the face of the earth. I don't care if they post them as public information on bbses, magazines, or print them in books for profit. I don't care! I believe it is everyones' constitutional right to be able to write any type of computer code they want, discuss it with others, share the code and document the process. I believe that to remove this right from individuals is removing their freedom and individual rights. On the other hand, I do care about someone intentionally destroying the property of others. I do care about harm done to others and I do care about someone planting viruses for that purpose. But, this contest is not called the "1st International See How Much You Can Destroy by Planting a Virus Contest." I just don't care (did you pick up on that yet?) I know there are hundreds of viruses available. I have many of them myself, most of them sent to me from anti-virus researchers (that is another story in itself though.) All the harm that could be done by viruses could more than likely be done with existing code. Running a contest asking for better code doesn't appear to offer a significant threat. At the same time, I can't see any need for such a contest and fail to understand what good it could produce. Nonetheless, individuals should have the right to participate in this contest. By the way, while this may be the 1st International Virus Writing Contest, I think (although haven't confirmed) that Fred Cohen told me (on the one and only occasion I talked to him) that he had held a virus writing contest and offered $1000. He received no entries. ----------------------------------------------------------------- IN THE READING ROOM: MORE ON "APPROACHING ZERO" (Mungo & Clough, Random House) ----------------------------------------------------------------- ". . . if the Dark Avenger hadn't existed, it would have been in [Vesko Bontchev's] interest to have invented him." -- from "Approaching Zero" After a year in Europe, "Approaching Zero," a fairy tale of cybercrime and virus-programming shenanigans, is finally on bookshelves in a mall near you, courtesy of Random House. Unfortunately, I've already trotted out the book's only good quote. The rest of "Approaching Zero" is sodden garbage wrapped in whiz-bang entertainment writer-style prose. [Now THAT would make a great dust cover blurb.] For example, Clough and Mungo blurt out the claim that 12 million of the world's 90 million PC's will be infected by viruses in the next two years. Do they have any support for this? Nope, you just take their word for it, buddy. These claims seem the work of seasoned hypocrites, indeed, when one considers the authors spend a lot of time in "Approaching Zero" whacking other anti-virus researchers over the head for making similarly unsubstantiated calls. But "The universality of the PC culture is reflected by the provenance of viruses," squawks Hollywood Reporter Paul Mungo at one point! We forgive our readers for asking, "What the Hell does that mean?" How would they know it was written so the authors would be assured an evening on the now-cancelled Dennis Miller Show? Anyway, by the end of this flatulent book, Mungo and Clough have even tried to rope in the Doomsday Clock featured on every cover of The Bulletin of Atomic Scientists. Seventeen minutes away from atomic disaster is the symbolism of the clock; in like manner entertainment writer Mungo tries to draw the comparison toward the PC equivalent of nuclear holocaust in the guise of the computer virus, never mind the Bulletin has nothing to do with computer viruses and it's clock has been moving AWAY from Gotterdammerung since Ronald Reagan left office. "Approaching Zero's" final paragraph warns balefully of the Russian LoveChild virus, presumably poised to turn your hard drive into radioactive cinders. Mungo and Clough don't include that it's a stupidly buggy virus which hangs on any PC not using DOS 3.30. [And as obvious on a 3.30 OS as this issue's simple PC Carbuncle.] These are purely minor points, of course. -------------------------------------------------------------- EDITORIAL SPOTLIGHT: RASHPUTIN SPEAKS ON THE TRAPS AND PITFALLS OF CODE REGULATION ______________________________________________________________ Since becoming interested in viruses about three years ago, I have tried to keep up with advances in virus development, anti-virus software, and attitudes among various groups interested in viruses. Since the summer of 1992, there seems to have been an increase in the number of proposals to outlaw the writing of virus code. While there have been such proposals in the past, the types of individuals willing to legally define the creation of virus code as forbidden fruit appears to have expanded. Initial proposals were almost invariably made by frightened users who had just read their anti-virus software documentation, a column in the popular PC press, or had seen Ted Koppel and several other talking heads discussing Michelangelo. Of late, these three groups have been joined by quite a few members of the academic community. It is the growing presence of such academic advocates that disturbs me. It is quite natural for users, even so-called power users, to be upset at the prospect of uninvited and potentially destructive software mysteriously appearing on their system. Most of these folks were only introduced to microcomputers after such machines were very stable and running quite refined applications. To them, software is a tool to be mastered in pursuit of some other goal. They are blissfully unaware that even some of the current 'winners' in the software field have grown out of early versions which were buggy and fragile to the point of being dangerous. Anti-Virus software vendors are, naturally, willing to overstate the need for their product, and the risk of doing without it. That some vendors are even misrepresenting the utility of their product to the point of outright fraud is nothing new, either. Mini and mainframe vendors have established a long tradition of such overzealous sales tactics for both software and hardware. Columnists, also naturally, are prone to focus an article or headline on the portion of a subject that is most likely to grab the reader's attention. To expect popular PC columnists to be consistently well informed on their subject matter is a bit unreasonable in a society that does not even expect their news media to be well informed on issues of national consequence. Over all, I understand the first three types of individuals who have been associated with the idea of outlawing virus writing. I cannot, on the other hand, understand the growing number of academics who agree with or promote this idea. Before reviewing what seem to me to be the most worrisome aspects of these proposals to outlaw virus writing, let me be clear about where I stand on several specifics. I do not support the installation of an executable virus on a system to which the "installer" does not have legal, legitimate access. Nor do I support the distribution of an executable virus in such a manner that conceals the presence of the virus to permit the virus to execute as part of another legitimate executable. Read that carefully. If a user knowingly installs software containing a virus on a system to which he has legal and legitimate access, and that virus upon execution causes damage, then any resulting damage is either an incidental and acceptable consequence of the user having been granted access, or it is the result of the user's negligence. Either way, it is a problem internal to the organization. If a user obtains an illegitimate copy of a program then the installation and execution of that program is in and of itself an illegal act. Consequently, any damage that program causes, whether through the execution of application code or attached virus code, is primarily result of the users illegal software piracy. Again, we have problem within a specific organization. I have seen many descriptions of the 'virus crisis' used to justify outlawing the writing of virus code. Most are logically similar to the following: 'Viruses and their wide distribution threaten the inter-connection of systems, which is the next major step in computer system usage and functionality. Unless we can halt this menace, we will be threatening the integrity and acceptance of such networks.' Well, scary indeed. But I can recall when IBM was using almost identical language to impress upon its clients and potential clients how the future of software development was being threatened by having a multiplicity of programming languages in common use (their solution revolved around getting the entire world to program in their new language, PL-1, on fine IBM hardware). In my experience, Mr. Average User's system is most likely to become infected from a pirated copy of a major software package, not from a Shareware program downloaded from the local BBS as is commonly assumed. Consider, too, how much easier it is to tell the boss that there is a virus outbreak than it is to tell him how well "wild card" file deletion works, and how little can be recovered after the disk de-fragger has been run. Things aren't nearly as frightening when human nature is considered along with the latest reports of virus outbreaks. On top of it all, I have yet to see anyone talking about collecting the serial numbers or other registration information for all applications on any system which appears to have become infected. Maybe the existence of virus code is called the 'Virus Crisis' because so many people are in a state of near panic over the possibility of having to start paying for their software rather than just trading with someone down the hall. In any event, remedies which seek to control the writing of virus code rather than the actions which spread live virus executables, are basically expressions of the theory that users have the right to be irresponsible. If software vendors distribute programs containing viruses, then the remedy is to hold software vendors liable in such instances. If users are installing pirated software on systems to which they have access, then those users are already guilty of an illegal act and should be liable for the consequences of their actions. While I can personally see the utility of self-replicating autonomous code similar to a virus, I am willing to believe that many of these academics have decided that such code is completely useless. Personally, I believe there is a real need to study such code, especially when one considers what system management will be like in a world where vast networks are common. The ideas embodied at this point within virus and worm code could provide the basis for tools to patch, revise, or upgrade software distributed across multiple computers on such a net. A vendor might, for instance, have something of a cross between a virus and a worm wandering the nets and looking for copies of specific applications that are in need of the modifications it is capable of carrying out. Whether this and other thoughts of mine regarding the utility of virus-like code are silly or sublime, to outlaw the writing of such code has some serious implications. Implications that should be apparent to those who are a part of the academic community. In theory, those in the academic community are more dedicated to the pursuit of knowledge than most other folks. Certainly they should be more sensitive to restrictions on various forms of inquiry than is the average computer user. I have been rather regularly following several electronic magazines and conferences where the proper legal definition of a virus is discussed. These discussions center on finding an extremely clear definition of a virus so that 'good' legislation can be written. What is notable to me, but to my knowledge, of little concern in such discussions, is that the English language is being used to define a very specific type of software. I am impressed with this because there is a long, well-documented history of disappointment with the English language as a software specification language. There is, indeed, an entire industry built around providing languages, methods, and tools which supplement or replace English in order to clearly define software. Furthermore, most of the participants in these conferences seem to be unaware of the fact that lawyers will probably regard the definition of a virus as the primary part of any regulation only until there is sufficient precedent and case law upon which to build. No matter how well constructed one feels such a definition is, there will be a great deal of ambiguity in any such virus control legislation unless specific code constructs are included within the definition. With specific code constructs as a part of the definition, however, we could well end up with the law being applied a manner that would include a great deal of non-virus software. Software that contains bugs, software that is not sufficiently described or documented for the user, and software that is capable of being altered by the user (i.e., macro languages, etc.) could all fall within the law's domain. Even if no code constructs are included in such a definition, we will most likely see major legal battles fought over all kinds of implied meanings in the law and the definition. Given the man years of effort and millions of dollars spent to determine whether Apple's largely stolen 'Look and Feel' were infringed upon by Microsoft, I can't see how any legislation that defines the writing of specific types of software as illegal can fail to become a gold mine of harassment suites and publicity stunts. The same forums that are frequently used to debate just how to control virus control through legislation, are rife with rumor and paranoia regarding the government's involvement in the issue of encrypted communication. Here we have people who are arguing for the outlawing of virus writing and in their next breath arguing for premise that the government should not be able to regulate the quality and availability of encryption software. This is seen as a way to guarantee that the rights of private and free speech are ensured, regardless of the medium one chooses. To hold such an opinion regarding free speech, yet fail to see the outlawing of virus writing as in no way connected to it, is extremely narrow minded. Most threats to our freedom originate with the government endeavoring to protect us from some popularly perceived threat to the 'public.' For years, the Soviet Union as nasty enemy provided the basis for legislation aimed at preventing the bad guys from being able to read our mail, and to ensure that we could read theirs with as little effort as possible. That era apparently over, how will the government justify its' continued interest in reading its' citizens mail? What better than a major threat to the millions of honest, hardworking, PC users who could have their systems shut down by some virus? Will the nation's competitiveness go down the porcelain punch bowl if we allow virus code to be written and distributed? To my knowledge, the obvious weakness of a given piece of logic has never kept the government from taking action based on that logic. However lame 'virus control' efforts may seem as a reason to regulate the quality and availability of encryption software, I feel sure that the effort to connect the two will be made if there is any legislation that outlaws the writing of virus code. Yes, I can just hear the old excuses rising once more in Senate hearings: 'Unless we're able to decrypt network packets, how can we do the types of spot checks or monitoring of known virus groups required to ensure that virus code is not being written and even distributed under our very noses? Without that ability, Senator, we cannot enforce the virus writing ban that the Congress has enacted.' The last but most frightening aspect of the desire to outlaw virus writing is the small matter of freedom of speech itself. While most participants who advocate banning of virus writing would permit 'legitimate' virus research to continue, there appears to be a consensus that only academics and anti-virus software vendors are legitimate researchers. While I have yet to see a discussion of how a person outside these two groups could become classified as a legitimate researcher, I have seen discussions regarding which sub-groups within the academic community should be permitted to write new virus code as opposed to only studying the code from existing viruses. Geeez. The "Elite Academic Virus Writer's Chapel" hasn't even been built yet, and some folks are already trying to define the hierarchy of the priesthood. And I don't see how writing code that can be turned into a potentially damaging executable by passing it through a compiler or handing it to an interpreter is all that different from any other written material. Jesse Jackson and David Koresh read the same Bible, after all, but interpret it quite differently. Given that a faulty compiler or interpreter can obviously execute the 'code' contained within the Bible in some nasty ways, why shouldn't the printing of Bibles be prohibited right along with virus code? If we are going to start altering constitutional freedom of speech guarantees, why not freedom of religion guarantees as well? It appears that the existing laws were sufficient to prosecute and convict the author of the Internet worm. It also appears that more than a few folks felt that existing laws were sufficient to unjustly prosecute Steve Jackson Games. If there had been a few more absurdities available to throw into the Steve Jackson Games case, we might well have seen a much different result. Even with Steve Jackson off the hook for now, there will be further attempts to define existing laws in a way that provides for more governmental control of our electronic meeting halls. Well, that covers those aspects of the anti-virus movement that I personally find most troubling. There are other issues, but they aren't nearly as open-ended as the few I've covered. Don't let the issue of outlawing the writing of virus code just slide past you. While I doubt that such legislation being on the books would convince any virus writers I know to just hang up their coding spurs and join the local 4H club, I do think that such a law could well become the basis for other actions that could eliminate or restrict major portions of the electronic realm in which we meet. ---- RashPutin' -== Rashputin has been involved in programming and systems development since 1975, working on a wide variety of systems for clients who have ranged from the Defense Department to Willie's Video Stop. Since 1983 he has been an independent consultant specializing in distributed database development. Recently retired, he now spends most of his time helping others find alternatives to traditional gang-banging development methods.==- ------------------------------------------------------------------ IN THE READING ROOM II: FRED DAVIS'S "THE WINDOWS 3.1 BIBLE" [$28.00, PeachPit Press] OR, "WHAT THOSE HYPERBOLIC DUST COVER BLURBS REALLY MEAN" __________________________________________________________________ Fred Davis's "Windows 3.1 Bible" is one of the typical 1,000+ page computer manuals (book is a term that doesn't really apply, a book is something I read for enjoyment) which currently stuff up the shelves of mall shops everywhere. They are, in essence, "books" for people who are stupid enough to believe it's easier to absorb a 1000+ page $30 manual than the 250+ page manual already included with their software packages. Nevertheless, like horseflies at the outdoor swimming pool, manuals by Fred and his ilk must be dealt with by everyone. So in the spirit of public service, the Crypt Newsletter has decided to give you a tutorial on how to interpret the blurbs and cues on Fred's book jacket so that YOU can make a good consumer choice. Here we go: When lollipop business and technology journalist Gina Smith of the San Francisco Chronicle says, "Fred Davis tells it like it is," she really means, "If you're looking for a book that tells you what all those cryptic Windows 3.1 error messages REALLY mean, this one ain't it either. "But I want to write a computer book, too, someday and Fred's a big deal, y'know." When Ziff-DAVIS Labs employee Andrew Eisner writes "Fred Davis is a visionary and all-around computer wizard," he really means, "Look where I work! Do you expect me to tell the truth about Fred and foul my own nest?" When Fred's dad writes this blurb on his son's book, "While Fred was growing up, I was an IBM bigwig and his mom was an English teacher. Fred was actually raised from birth to write about computers," HE REALLY MEANS, "Yeah, I think having your Pop write a recommendation for you is really Mickey Mouse, too. But what the hey, I'm from IBM and quite comfortable with all kinds of quasi-fraudulent marketing gimmicks." And when this book tells you on its spine that it "Includes a coupon for FREE book and FREE disk," IT REALLY MEANS, "Remit $6.00 cash money for your FREE goods or go to Hell." ------------------------------------------------------------------ VIRUS COMPLEXITY: IS THAT COMPUTER THINGIE A RIVAL TO THE BIOLOGICAL REAL THANG? ------------------------------------------------------------------ In "Artificial Life," the hated Steven Levy maintains that one of the simplest natural viruses has less complexity than the Brain virus. From that he builds the idea the computer viruses are close to being alive. The Crypt Newsletter has always believed this is crap, the kind of nonsense which anyone can come up with if they massage numbers for too long. If we start with the Brain virus and assume its length is approximately three thousand bytes, you can make the case that each byte contains 8 bits of information. Using this argument the Brain virus, at most, contains 24,000 pieces of information. The trick at this point, if you're going to compare computer viruses with biological ones, is to make a yardstick which will relate that figure to some corresponding value of a biological virus. If we take a typical human virus like influenza we can get a value of 200,000 for an approximate number of nucleotides which make up the viral core, it's genome, it's control center. Each nucleotide consists of one sugar molecule, one phosphate molecule and one of the four "bases" - guanine, cytosine, adenine, thymine - which almost everyone has heard bandied about on programs like "Beyond 2000!" Each of these molecules consists of varying numbers of carbon, hydrogen, nitrogen, oxygen and phosphorus atoms. If we count all the atoms, we're left with a partial aggregate molecular weight for the virus which includes only it's core, not its protein shell composed of structural materials and enzymes which give the virus a great deal of its activity. As a naked strand of DNA, the virus contains all the information it needs to create a copy of itself. However, by itself the genetic material of the influenza virus is not particularly viable. This is where it differs a great deal from a computer virus. Computer viruses are - for the sake of our discussion - naked strings of instructions and that's it. So before you're completely lost let's cripple our discussion slightly for simplicity's sake and consider only the nucleotide length of a biological virus. We can estimate that each three nucleotides are responsible for one amino acid - the basic building blocks of the proteins which give the biological virus activity and structure. Dividing 200,000 by three, we come up with a maximum amino acid count of approximately 70,000. If we compare the Brain computer virus's bit count to this number, the influenza virus is 3 times more complex, but on the same order of magnitude. If we consider one of the most complex computer viruses, The Whale, it has a bit count of between 56-80,000. For our use, equivalent to the 70,000 for influenza. But there's something amiss here. The Whale is barely functional and can usually be coaxed into replicating only once or twice before crashing the host machine. By contrast, the influenza virus is a model of efficiency - The Whale is not even worth comparison. If you believe in God, it's clear he does a better job. In addition, the influenza virus could be said to be in an almost constant state of self-mutation and evolution, requiring a new vaccine every year. Neither The Whale or Brain are analogous. One anti-virus scanner cures all, until some dupe decides to mutilate the original code. While this argument makes for interesting comparisons, it's by no means complete. It is difficult to relate the complexity of a biological virus to a PC virus simply because the information in it is not defined 100% by a string of naked instructions. The chemical complexity of nucleotides is not comparable to the complexity of instructions like "mov ax, offset file_name". It is, obviously, much greater. As a last comment to keep you scratching your head, consider the biological character known as the "viroid." The "viroid" is a mere fragment of genetic material which can replicate in a host cell. An average viroid is about 300 nucleotides long, or contains about 100 bits of information by our above model. The OW overwriting virus, by our arguments, has about 240 bits - a bit <heh-heh, couldn't resist> more than the typical viroid. Viroids aren't considered even close to being alive by many microbiologists, but rather examples of very active replicating molecules. -= Urnst Kouch received his Ph.D. for analysis of proteins and mechanisms of pathogencity in microorganisms.=- ------------------------------------------------------------------ IN THIS ISSUE: THE PC CARBUNCLE VIRUS __________________________________________________________________ Included in this issue is the source code for the PC Carbuncle. The PC Carbuncle is a hybrid spawning/overwriting "toy" virus. Placed in any directory, the PC Carbuncle will search out all .EXEfiles and rename them with .CRP [for Crypt] extents. The virus will also copy itself into the directory as a hidden file and create "companion" batchfiles for all the renamed hosts. The "companion" batchfiles contain commands to run the PC Carbuncle, switch the renamed host file back to its original state, execute the host, rename the host back to its .CRP extent and execute the Carbuncle once again. If the user is employing a nice graphical interface, the host files will be seamlessly executed by the Carbuncle's fabricated batchfiles. All the host files can be renamed back to their original .EXE extents and the batchfiles deleted. However, there is a catch to this plan. Randomly, the PC Carbuncle will copy itself to 3-6 of its host .CRP files, destroying them. If the user discovers the new batchfiles and hidden virus, CARBUNCL.COM, deletes them and renames the hosts back to their original state, the PC Carbuncle can re-infect the whole directory if any of the hosts were infected by the virus in its overwriting stage. Since the virus's overwriting stage destroys the host, it limits this action to a few files in the directory, leaving the remainder of the programs undisturbed. The basic code of the PC Carbuncle is open to plenty of futile tinkering. The number of host files overwritten can be easily changed as well as the frequency with which the virus toggles into its overwriting mode. The virus can also be edited to include just about any message in its batchfile by simply editing the second data area containing "CARBUNCL" to something like "ECHO Your dumb message comes here". [N.b.: If you do this, recognize that the PC Carbuncle is called a second time to clean-up, i.e., to ensure all .EXEfiles in the current directory are always renamed as .CRPfiles. If altered, it reduces the PC Carbuncle's efficiency slightly. Plus a "gotcha" message is even more a dead giveaway then the arrival of 20 or so new .BATfiles in an overcrowded directory.] The PC Carbuncle is not currently scanned. And data integrity checksummers which do not notice the disappearance or renaming of files in a directory are useless, a failing more common than most think. And since the virus ONLY overwrites programs renamed in a fashion not currently recognized by anti-virus software, these radical changes to executable code, while obvious to an educated user, are invisible to many brain-dead program designs. Nevertheless, since it is such a primitive companion virus, it is hard to imagine the Carbuncle spreading off of one machine. To someone used to the DOS command line, the virus is immediately noticeable, if momentarily puzzling. On a machine employing a graphical interface, however, the virus could be missed. Since the PC Carbuncle does not alter all of its hosts, it might *theoretically* operate beneath a pretty menu for some time after an initial vigorous round of infection. Or at least until the virus overwrites a .CRPfile that's regularly used. [What, you don't think so? I've seen many instances of users thoroughly confused by the appearance and disappearance of bloated temporary and swap files on many machines.] Of course, if the Carbuncle overwrites a .CRP file larger than 65k, even if the file is renamed back to its .EXE extent, DOS won't run it. In addition, PC Carbuncle infected machines will occasionally generate "bad parameter" error messages. [This is due to random bits of electronic garbage which DOS infrequently puts in the PC Carbuncle's batchfiles as they are being written. The extra data does not corrupt the behavior of the virus, but does result in random, meaningless error messages.] The PC Carbuncle contains no hazardous code other than the idiot savant routine which causes it to overwrite "infected" .CRPfiles. The Crypt Newsletter is indebted to alert reader Nikademus for his contributions to the code of the PC Carbuncle. ------------------------------------------------------------------- FICTUAL FACT/FACTUAL FICTION: WAMPETER, FOMA AND GRANFALLOONS ___________________________________________________________________ The Crypt Newsletter Fly-On-The-Wall reports that the March IEEE Security Conference in New York City was a grand flop. Plagued with a small turnout of about 150 security experts, the conference came up with little more excitement than the ejection of Virex developer Ross Greenberg for being "too commercial," whatever that means. [Informed sources say this translates as, "seen reaching into your trousers for a business card."] Panda Systems' Pam Kane was also removed by security personnel, perhaps for wearing a red dress. "Joe Smith" of Phalcon/SKISM was not removed. ---*--- Another virus construction tool cropped up in Southern California in the last month. Alert reader Lookout Man snagged a copy and reported that the documentation promised production of polymorphic and full stealth viruses. Grand claims, indeed, when one considers the toolkit came with an "extraction utility" which was merely a renamed version of PKZip. The toolkit archive itself was password protected. To get the password, the user was asked to call either of two phone numbers, or contact a POB drop in Industry, CA. One of the phone numbers was disconnected, the other answered by someone claiming mistaken identity. ----*---- The next Virus and Security Conference in Varna, Bulgaria, will feature a guided-tour of the Bulgarian Virus Fabrik, or Bulgarian virus factory as it has come to be called in the western news media. The tour, conducted by Vesselin Bontchev, will include a bus ride to Betguano, the location of the factory, halfway between Varna and Sofia. After viewing the facility, sequestered in a renovated chapel, Mr. Bontchev and virus factory manager DaV invite guests to a complimentary happy hour where quantities of local champagne and Ripple will be mixed in a rare Bulgarian cocktail called Champipple. ----*----- Crypt Newsletter editor Urnst Kouch will be featured in an 18-page interview in the April issue of Gray Areas magazine. Gray Areas is an emerging publication which deals with controversial issues and personalities in 1990s America. The magazine can be found at WaldenBooks, Barnes & Noble, Bookstar and many alternative music stores nationwide. ---*---- McAfee Associates Inc. has wasted little time in voicing its opinion of Microsoft Corp.'s new MS-DOS 6.0 Anti-Virus. Junk it is, they imply, and it will not be a substitute for their firm's own virus-fighting programs. In a press release from Santa Clara, Calif., the company, "Based on initial responses from its customers, which include 66 of the Fortune 100 companies, McAfee concluded that the virus protection found in MS-DOS 6.0 is not a solution for corporate virus protection." John McAfee continued by saying the new set of utilities in DOS 6.0 fail to deliver features or benefits to those of independent utilities. "In particular, Microsoft will have a difficult time matching the level of technical expertise and customer service for anti-virus software that is currently offered by McAfee Associates." Unlike Microsoft, "Users have direct access to the company," said the statement, "through its customer support department, online services which provide 24-hour electronic support, and through a network of independent authorized agents around the world." ". . . Central Point Software, the company that provided the virus protection software for DOS 6.0, has a 61-percent virus detection rate for the most recent version of its anti-virus product, according to an independent certification [ED. - reference VSUM] done in March 1993 against 1,956 viruses. This compares to a 96-percent detection rate for McAfee's virus protection software, according to the same certification." Now all this sounds like sour grapes but alert Crypt Newsletter readers already know the McAfee criticisms are valid. Central Point Anti-virus has, in the past, proven extremely vulnerable to a variety of standard virus techniques including polymorphism, spawning infections and minor variants of common viruses like Jerusalem. In a related matter, Microsoft Anti-virus cannot handle as simple a virus as this issue's PC Carbuncle for reasons explained within the newsletter section devoted to the virus. ---*--- SOLOMON'S ANTI-VIRUS TOOLKIT GETS A FACE-LIFT: The recent version of this anti-virus software sports a newly revamped menuing system which modernizes the look of the Toolkit but retains all of the features trusted by long-time users. ------------------------------------------------------------------- THE CRYPT NEWSLETTER IS MOVING!! At the end of April, the Crypt Newsletter will be relocating to more spacious editorial offices in sunny Southern California. Users of Crypt InfoSystems need not be alarmed. Within arrival at the new offices we will be back on-line 24hr a day at 14.4 bps. To smooth the transition, current users of Crypt InfoSystems are encouraged to leave e-mail for Urnst Kouch at CIS or the newsletter's INTERNET and COMPUSERVE addresses containing a mailing point. Those supplying addresses will receive a postcard informing them of the Southern California phone number. The new number will also be published on BBS's where one usually finds the newsletter. Do to the nature of the electronic medium, we don't expect a transcontinental jump to disrupt publishing. Urnst Kouch can always be reached at Micro Information Systems Services BBS in Santa Clarita, CA, ph #: 1-805-251-0564/9600 bps. --------------------------------------------------------------------- THIS ISSUE'S THANKS AND A TIP O' THE HAT TO ALERT NEWSLETTER READERS SANDOZ, LOOKOUT MAN, MOOSE, THE FLY-ON-THE-WALL AND CORY "I AM PERSONAL FRIENDS WITH THE WHACKO FROM WACO" TUCKER. ____________________________________________________________________ Included in this issue of the newsletter are the following files: CRPTLT.R14: this electronic document CARBUNC.ASM: source code for the PC CARBUNCLE virus TOTOSRC.ASM: source code for TOTORO DRAGON virus CARBUNC.SCR: DEBUG scriptfile for PC CARBUNCLE TOTO.SCR: DEBUG scriptfile for TOTORO DRAGON To assemble files into live viruses, use your favorite assembler on the assembly listings or use the MS-DOS program DEBUG.EXE, to manufacture the viruses from their respective scriptfiles. At the DOS command prompt type: DEBUG <*.scr where *.scr is the virus scriptfile of choice. After a few moments, DEBUG will have assembled the live virus in the current directory. ATTENTION: While anyone who enjoys computers can read the Crypt Newsletter, fiddling with the viruses presumes at least a feeble grasp of the rudiments of the PC operating system. If you view your computer as a mysterious machine with only an on/off switch and seemingly a mind of its own, enjoy the Crypt Newsletter but do not execute the included viruses. To paraphrase author and programmer Mark Ludwig, "You will be as a child playing with a loaded gun." Computer viruses will attach themselves to various examples of executable code on your machine. While doing this, they will purposely or accidentally mangle your data and the resources of your machine. New computer viruses often add themselves irreversibly to files on a computer, necessitating that the file be erased before unhindered computing continues. If a user is not familiar with the basic behavior of computer viruses, it is entirely possible and even probable that a new computer virus will disappear into the code of his/her machine and only be found after it has messed things up quite thoroughly. If you value your $50 PC games, do not know how to handle viruses and/or have only one machine on which you do all your critical computer chores, it would be wise to read a few issues of the Crypt Newsletter and look over the supplied code carefully before fiddling carelessly with something even as innocuous as the PC Carbuncle. The Crypt Newsletter can be found at the following BBS's: CRYPT INFOSYSTEMS 1-215-868-1823 DARK COFFIN 1-215-966-3576 MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564 THE HELL PIT 1-708-459-7267 DRAGON'S DEN 1-215-882-1415 RIPCO ][ 1-312-528-5020 AIS 1-304-420-6083 CYBERNETIC VIOLENCE 1-514-425-4540 THE BLACK AXIS/VA. INSTITUTE OF VIRUS RESEARCH 1-804-599-4152 UNPHAMILIAR TERRITORY 1-602-PRI-VATE THE OTHER SIDE 1-512-618-0154 REALM OF THE SHADOW 1-210-783-6526 THE BIT BANK 1-215-966-3812 CAUSTIC CONTAGION 1-817-776-9564 The Crypt Newsletter staff welcomes your comments, anecdotes, thoughtful articles and hate mail. You can contact Urnst Kouch at CIS BBS, CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com