Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!usc!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: gary@sci34hub.sci.com (Gary Heston) Newsgroups: comp.virus Subject: Re: File tranfser of software--A way to curb commercial infections? Message-ID: <0004.9005251302.AA06957@ubu.cert.sei.cmu.edu> Date: 22 May 90 14:24:24 GMT Sender: Virus Discussion List Lines: 105 Approved: krvw@sei.cmu.edu okay@tafs.mitre.org (Okay, S J) writes: > [ ... ] So why even > bother with removable media? Why not do like a lot of people in the > UNIX community do and get it via network distribution. Networks can be infected, too, which would be regarded as a major security risk by most admins. The current children playing with forgeries in news.admin shows this, as well as the difficulty of tracking down persons causing problems. > It would seem to me that the vast majority of infections comes from > somebody sticking an infected disk in somebody elses machine and then > leaving the virus behind on their machine, or vice versa. M. Or downloading an infected piece of software from somewhere. I suppose someone could figure out how to infect a file being passed through a system, once it becomes a common, standardized practice. > [ infected game example ] > > But if they'd left the master copy on a trusted machine, like the > company mainframe and just let it be up/downloaded to/by Joe Customer, > it seems like you'd stand a lot smaller chance of spreading something > than if you moved it to a series of unsecured duplicating machines. Assuming the company wants to maintain a full library of games on their mainframe or server. In one division of this company, the senior VP put out an edict that anyone who was caught with a game program on their system would be fired. I don't think they'll provide them on a server, either. I also wouldn't want a customer directly accessing a mainframe/server either, for security reasons. They might upload something infected.... As a security matter, the ultimate master and the machine it resides on should be checked daily, or at least prior to any duplication run. It should certainly not be used for anything else, including playing games. > I'm not saying this would cure everything, but electronic distribution > would go a long way to curbing floppy exchange/swapping as a vector > for virus propa gation. If commercially distributed, shrink-wrap software were a MAJOR channel of infection, this would be the case. While some viri reportedly do get into them, I think 75-80% get spread via user's floppies, and not just games. Most of the remainder (as far as I've seen, anyway) get distributed to individual machines on networks, as a result of one user running an infected program (or uploading one) while logged on. I suspect distributed software is only a couple of percent of infection cases. > You might argue that its inconvenient and would take forever to get a > "transmission slot", but look at it this way: Most businesses usually > have to use the company's central purchasing system , which means you > won't get it for a few months anyways, so what does it matter if Oh, so you've worked here, too? :-) > you're waiting for it to show up on your doorstep or on your > harddisk???---Plus you have a single source from which the program(s) > are distributed which is a lot easier to control than trying to find > machine #1316286179, fifth aisle, third row, 5th shelf from the top. If removable media is used, it's the package on the fifth aisle, etc. because you shouldn't be copying the software off another machine to begin with. Incidentally, a similar scheme has been tried some years ago. I don't think you realize the magnitude of distribution you're talking about; there's hundreds of companies out there, with thousands of products, virtually none of which are compatible with each other beyond some low level hardware protocols. All of them will want their way, none will want competitors to have access (i.e., security will be a nightmare--this isn't public domain or shareware we're talking about) and what happens when the system has a hard crash must also be considered. > You are of course welcome to praise, flame, cut to ribbons, or > nominate for a Pulitzer anything I've said in here. When doing so, > assume that the archive/sole distribution system is trusted and is big > enough to handle a moderate user load similar to an average FTP site. > Let me know what you think, I think that on a small scale, this is already being done on networks using a central server. In that case, an admin is responsible for making certain that only clean software gets loaded, as well as educating the users in proper security and operating proceedures. As a means of commercially distributing software, it's not feasible yet, and may never be. Think about some of the lost, misrouted, and garbled articles you see on usenet. Would you want to try and send a 6MB software package thru with that risk? Would you blithly trust your (companies') system to such a package, without checking it? If you have to check it, you might as well have shrink-wrap to open. > - ---Steve > OKAY@TAFS.MITRE.ORG - -- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "I think, therefore, !PANIC! illegal protected mode access attempt Memory fault: core dumped