Path: utzoo!utgpu!attcan!uunet!husc6!tut.cis.ohio-state.edu!allosaur.cis.ohio-state.edu!bob
From: bob@allosaur.cis.ohio-state.edu (Bob Sutterfield)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Virus
Message-ID: <26875@tut.cis.ohio-state.edu>
Date: 7 Nov 88 19:53:26 GMT
References: <19881104194515.0.GLR@MOSCOW-CENTRE.AI.MIT.EDU>
Sender: news@tut.cis.ohio-state.edu
Organization: The Ohio State University Dept of Computer & Information Science
Lines: 18

In article <19881104194515.0.GLR@MOSCOW-CENTRE.AI.MIT.EDU> glr@WHEATIES.AI.MIT.EDU (Jerry Roylance) writes:
>So the first step might be to (quietly) grep unix filesystems for
>some appropriate (cleartext) substrings that would appear in his
>files (ie, pieces of the infecting shell script).  Anyone who owned
>such files before the infection would be suspect.

This would yield circumstantial evidence, at best.

Any information found this way would be obtained illegally, at worst,
unless you have a search warrant against a specific user's files.

Ironically enough, I recall someone else, from another subdomain of
MIT, who recently discussed MIT's refusal to run `arbitron' because it
would glean information from files in users' home directories, which
(in that installation) are considered sacred and private.
-=-
Zippy sez,								--Bob
- if it GLISTENS, gobble it!!