Path: utzoo!yunexus!geac!syntron!jtsv16!uunet!husc6!bloom-beacon!gatech!ncar!tank!nucsrl!jln From: jln@eecs.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: SCORES ordeal + new(?) SCORES info Message-ID: <10330062@eecs.nwu.edu> Date: 14 Oct 88 16:56:41 GMT Article-I.D.: eecs.10330062 References: <6685@ut-emx.UUCP> Organization: Northwestern U, Evanston IL, USA Lines: 158 Robert Dorsett of the University of Texas at Austin and Greg Dykema of the University of Michigan both disagree with my opinion that we shouldn't post disassemblies or sources for viruses. Dykema says: >In any event, I believe that the question of whether not to publish virus >source code does NOT have a clear answer! I agree. When I had figured out how Scores worked in April and began to prepare my original posting to comp.sys.mac I had to very seriously consider this issue. It was definitely not easy deciding how much to reveal about the internal details of Scores. My final decision was to tell what Scores does to your system, how to detect it, and how to get rid of it. This does involve revealing some of the internal technical details. Most of the many people who corresponded with me about my postings agreed with my policy. But at least one very knowledgable person felt I was actually doing harm by posting at all! He felt that those of us who know about viruses should just keep quite in the hope that the virus-writing "fad" will die a natural death. He found my posting much too technical and thought it gave too much help to potential virus writers. I disagree with this person, but it shows that there's a whole spectrum of opinion on this issue. I guess I'm a "moderate". Dykema also says: >...viruses are not >hard to write and any decent programmer with the desire can write one. >The only thing you avoid is handing someone "ready-made trouble" and >perhaps giving someone the ability to distribute a virus if they did >not have the necessary skills already. Robert Dorsett says: >Denying public knowledge of viruses does *not* protect against them, mere- >ly guarantees that attack strategies remain unknown. >... >I'm willing to >bet that we will *not* be subject to "a flurry of new viruses" if source is >posted. Viruses are not hard to write, but they're not easy to write either. It does take quite a bit of work, knowledge, and time to write a virus from scratch on the Mac. It's hard enough so that only somebody with quite a bit of free time and a very strong desire is going to write one. But almost anybody can quite easily hack together a variant of an existing virus given source code. This has already happened in the Mac world with the nVIR virus. A German programmer posted source code on CompuServe, and several mutations of nVIR appeared. (Disclaimer: I have no first-hand knowledge of this, and I haven't seen his posting. I've just read about the incident. I'm an expert on Scores, but not on nVIR.) It seems very clear to me that posting sources for viruses is asking for trouble. Denying public knowlege of the nitty-gritty technical details does help to protect against them. This is the main argument in favor of my position. Dorsett writes: >Understanding a virus is essential to combatting it, even from the user >level. Even now, months, presumably, after SCORES has been disassembled by >certain users on the net, we still have people running around like chickens >with their heads cut off, with nary a clue as to how it propagates itself, >afraid to run software "sanitised" by killscores, "reverse engineering" the >viruses from the user level, etc. I think that to at LEAST provide a clear >description of how it works is to benefit the community at large. Understanding what a virus does to your system, how to detect it, and how to get rid of it are essential to combatting it. Understanding the complete technical details of how it works internally is helpful but not essential. I've tried to provide clear descriptions of the technical information that people need to combat Scores, and it has been a great help to many, many people. But I refuse to reveal internal details that are not critically relevant to this goal. You are absolutely correct that a great deal of erroneous information has been spread about Scores. Even now magazine articles and network postings are more often than not inaccurate. This is unfortunate, but probably unavoidable. I've done everything in my power to dispel rumors and give accurate information, and the situation has improved somewhat, but the rumors still persist. Dykema writes: >But we have lost something too. We have lost a free exchange of information, >admittedly information that could help or hurt. But I believe that the >"additional" damage releasing virus source code might do is not worth >the loss of information, information necessary if one is to understand the >possible threat of viruses (and specific viruses in the case of publishing >specific source code) and to defend against them. This argument is very strong and well-stated. I think that Dykema has stated the main argument against my position. I too believe in the enormous value of the free exchange of information. For example, I long for the "good old days" when operating systems and major applications were distributed with source code. I learned how to program by studying those sources. Can you imagine how much better programmers we'd all be if we had source for the ROM? The current almost universal distribution of programs without source code is tremendously harmful. The problem in a nutshell is to balance the danger of showing hackers how to write destructive code against the benefits of the free exchange of information. Dykema argues for free exchange. But after extremely careful consideration I have decided that the very real threat posed by these extraordinarily dangerous viruses is more important. This is sad but true. Dykema again: >What gives anyone the >right to decide in whose hands this "priviledged information" will lie? Another very telling argument. Viruses are being written, and we need a community of virus fighters working together to combat the plague. But if the members of this community can't exchange information freely, how can they work effectively? Who decides who gets to be a member of the club? For example, all of my work has been done in almost complete isolation, with no help from others. I am not a member of the "club", if one exists. I know that there are other Mac programmers out there working on the same problems, but for the most part we don't communicate or share our work. I admit that I have no good answer to this question. On a different topic, Dorsett writes: >I view "virus killers" as almost as serious a threat as the virus >they are alleged to combat. The fact that none of these killers are distrib- >uted in source form only adds to my reluctance to use them. I tend to agree. Virus fighting software should be distributed with source code. My colleague Albert Lunde has written a program VCheck, and he distributes it with source code. I can think of an exception, and that is CE Software's Vaccine. If source code were available it might make it too easy for virus writers to figure out ways to get around Vaccine's protection. I'd like to thank both Dorsett and Dykema for posting their excellent notes. This is a topic that needs discussion. I disagree with them, but I acknowledge and respect their opinions. It is indeed a very difficult problem. Finally, I'd like to remind readers of this thread that I posted three notes on Scores to comp.sys.mac last spring, on 4/18, 4/25, and 5/2. They contain lots of useful, accurate information on Scores, but they won't teach you how to write a Mac virus. You may have missed them. Anybody who would like copies should feel free to send me a note at the address below. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu