Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: jkp@cs.HUT.FI (Jyrki Kuoppala) Newsgroups: comp.virus Subject: Re: AF/91 and April Foolism in general Message-ID: <0010.9104231715.AA16173@ubu.cert.sei.cmu.edu> Date: 23 Apr 91 01:40:19 GMT Sender: Virus Discussion List Lines: 74 Approved: krvw@sei.cmu.edu dank@stealth (Dan King) writes: >|> It seems to me that especially in the computer virus field the lack of >|> knowledge about computer security in general is often exploited by >|> various venturers. Sure, there's nothing inherently wrong with >|> wasting your money spending it on various virus detection programs, >|> populist books and such. > >Now I began to question Mr (? I may be mistaken, my apologies if you >are actually Ms) Kuoppala. Well, that's overgeneralizing things a lot, I admit. Just say Jyrki as the net habit seems to be, no need to Mr. (that's the correct one) me. >|> Computer viruses in themselves are not a big problem. The big problem >|> is persons with no knowledge of the risks involved and no proper >|> training and/or usage policies using computer systems with nil (or >|> worse, security-by-obscurity ones) operating system and application >|> program access controls, with the programs often written by persons >|> with equal lack of knowlegde. Add to that the lack of source code and >|> then even if the users were competent enough they couldn't find or fix >|> the holes and lacks of controls. > >Hold it. Wrong. Dead wrong. Computer viruses are a HUGE problem for >anyone who is even remotely connected with the maintenance of a >significant number of computers. Ask someone who's home system has >just had its HD partition destroyed by a virus. Ask someone who is >ready to go back to a typewriter because their new, spiffy Mac IIci >crashes at application launches due to WDEF. Yes, you are somewhat correct about the present situation - I was unclear in what I was trying to say, although I would still say that the problem would be a lot less serious if the users had habits of not booting from every other floppy and using floppies borrowed from a neighbour. What I really should have pointed out is that computer viruses wouldn't be a serious problem if the commonly-used operating systems had even some decent protection mechanisms provided by the operating system. By 'commonly-used OSs' I'm now referreing to MacOS (whatever that's really called) and MS-DOS. Viruses are not a serious problem on Unix or VMS or VM/something, because the OS provides at least some minimum access control mechanisms. >Proper "usage policies"? Pray tell, >what are these? We could set up fascist-like user rooms where users >can only submit batch jobs and never touch the computers, but we'd get >less accomplished that way. It helps not to boot from friends' floppies, only install programs to your computer from reliable sources like known vendors and free software distributors, distribute the installable programs in write-protected disks, scan the programs you install with some virus detector and some other simple precautions. If you do the above, viruses won't get to your system very often, and it doesn't seem to make life much more difficult. >Including source code with every program would help eliminate viruses, >but forgive me if I only pay attention to realistic options. Well, dunno, I have source source code to every program I run on my home system and every part of the system, even the ROM monitor and the PCB. Oh, not every part exactly, I don't have the source code to the chips (like the processor), there might be some trojans hidden there.. >Likewise >running only programs not written by "persons with an equal lack of >knowledge". Whatever that means. It means something like running an OS whose designers had enough common sense and expertise to put at least some most basic access control mechanisms in the OS. Same goes for applications. //Jyrki