Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) Newsgroups: comp.virus Subject: Re: File tranfser of software--A way to curb commercial infections? Message-ID: <0012.9006051151.AA17014@ubu.cert.sei.cmu.edu> Date: 4 Jun 90 18:15:33 GMT Sender: Virus Discussion List Lines: 85 Approved: krvw@sei.cmu.edu In article <0003.9006011949.AA14516@ubu.cert.sei.cmu.edu>, gary@sci34hub.sci.co m (Gary Heston) writes: > ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) writes: > > > I've always felt that networks are less likely to transmit viruses > > than floppy disks because it is more likely that the culprit will be > > caught. I grant that games can be played with the signatures, etc., > > but chances are that some sort of log files are kept by the system > > administrators about what came in, and when. Although difficult, in a > > crisis there is at least some hope that the dissemination path used by > > the virus can be discovered. Although not foolproof, this should act > > as somewhat of a deterrent to virus writers. > .. > Networks can propagate a virus thru several avenues, particularly if > the netadmin is inexperienced and hasn't quite got file protections > for network executables set correctly. If user Fred logs in to a I freely concede this. Networks are no safer than floppies. You miss the point. > Now, we have a logfile that shows Fred, Barney, and 30 other users > ran this particular piece of software, at various times during the > day, and probably more than once. What points to the infection > source? Not *that* logfile. I'm uninterested in who runs it on the (now) infected system. What I am trying to establish is the pattern of transmission for the virus. For instance, it is of interest to know the general propogation path through the network. This can lead you back towards the site where the virus initially started. Once you get to that site, then you can try to find the user who owns the *source* code to the virus. Since we do backups at unpredictable times on our system, it would be tricky (but not impossible) for a virus writer to hide the source code. > > This can be controlled somewhat by the netadmin getting the > setup correct; however, this is a somewhat optomistic hope in > view of the complexity of network software and the limited > training new admins get (I'm trying to learn Novell right > now; the company decided nobody needs to go to seminars for > anything). It's difficult to track down a security hole when > the boss is asking hourly "Why isn't the network up yet?". Then your boss deserves what he gets. > is necessary. Training admins to check EVERY piece of software > prior to installation, no matter how many layers of plastic it > was (or wasn't) wrapped in, along with safe setups. Teaching > management that this really is necessary, not just a waste > of resources, and you really do need that many tapes for > backups. Etc. Agreed. > > > Floppy disks are almost untraceable since they carry *no* copy history, > > *no* history of what machines they visited and almost no means of > > identifying the offender. > > True. However, the person holding it can explain why they were > running the software without checking it.... Thereby punishing the victim rather than the perpetrator. This is somewhat like telling a rape victim that it was their fault for walking down an alley at night. It is true that they might be considered foolish for doing so, but they are not the party that should be held responsible for the offense. My point is not that viruses are less able to infect systems via networks than via floppy disks, but rather that the significant possibility of getting caught (say 1 chance in 5 ??) should dissuade people who otherwise have no chance of getting caught. Virus prevention has got to focus more on identifying the culprits, and less on treating the symptoms if this is ever going to occur. Networks (perhaps better networks than what we have today) are our best chance of finding violators. Sorry to be so long-winded, but I feel that this is a philosophical point that is often missed in comp.virus discussions. - -- Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Services or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb