Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!att!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: Various Comments Message-ID: <0002.9101021908.AA04408@ubu.cert.sei.cmu.edu> Date: 2 Jan 91 21:38:22 GMT Sender: Virus Discussion List Lines: 81 Approved: krvw@sei.cmu.edu Note: Thanks to flakey routing have missed posts 194-203. Apolgise for not responding to comments in the interim. Happy Christmas. >From: jmolini@nasamail.nasa.gov (James E. Molini) >From what I have seen over the years, anyone who ever loaded a key >into a piece of crypto gear has called themselves a Computer Security >Expert at one time or another... >So what does it take to be competitive in this field? It takes at >least a bachelor's degree in Computer Science and a strong background >generally in security. Am reminded of the quip attributed to Mozart about what it took to write an opera. When given an answer that would require the better part of thiry years, the inquirer said "But Herr Mozart, you wrote your first opera at sixteen." to which the composer replied, "Ah yes, but I did not have to ask." Having cut many a KG-13/KY-26 card & possessing an ME degree (from GMI), this would place me in the first category, however, I did not ask anyone (besides, who could you ask in 1966 ?) & feel there is a point that needs to be made. At present, there are really two different computer security fields: the first which Mr. Molini appears to address is the traditional multi-user mainframe which has access control as its primary requirement and provides insulation between users and applications. In most cases the user has neither concern nor care where WordPerfect resides, the system managers take care of this. PCs are another story altogether. Here there is no access control or partitioning other than a pseudo one. The user and any application called can do anything it/he/she wants. There is no RACF or CA/Top Secret and no user/kernel separation. Since mainframe manufacturers make the innards of the O/S a secret from the general public, often just a good knowlege of the package in use is all that is necessary. (Though RACF is the only security system I know of that will tell you where its holes are and not trigger a violation for asking.) To de-virus a PC (not just using CLEAN), the technician must understand the iapx80X86 machine code at hex and assembly language, operation of the BIOS, and the steps of loading a PC. Obviously the writers of JOSHI had some coaching on this as the first level mistakes are not made. These are entirely different skills than are generally needed on a mainframe. I know of few places outside of defense contractors where computer architecturists are still being utilized (and to anyone who has ever been stuck with making a Mil-Std-1750A/Jovial system work, my condolences but you probably have the right skills.) The biggest difference even with a unix environment is that in the PC (and the MAC) environment things happen at such a low level that little information is available (other than in fifty or sixty feet of books at BookStop) and few bother to read it (did my bibliogaphy of a few issues ago get posted ?) Just for an example, many readers of Virus-L use VAXes (my favorite PC) but how many know CHME, CHMK, & CHMS ? Its just not necessary unlike REPNZ MOVSW or LODSB/STOSB that should throw up warning flags to an observer in a PC. The point is that these are just not skills that are taught anywhere that I know of (possibly, I'll be pleasently surprised as when several people reported that Logic is still taught in a few institutions) >I have to read Virus-L at home because I >have a "real" computer security job to go to every morning. I am not >alone in this respect. Most companies don't realize the amount of >"phantom dollars" they are spending on viruses today. When they do, >we'll see a much more effective response to this problem. Exactly ! Perhaps the problem is that management expects miracles because we keep delivering them. In any event, I expect that nothing much will happen until the lawyers get into the act with some massive "negligence" suits from either stockholders of attacked companies or customers who suffer loss. The the Snake-Oil salesmen will really decend upon us. Enough, Padgett These opinions are free and worth what you paid for them.