Computer underground Digest    Wed  Aug 4 1993   Volume 5 : Issue 58
                           ISSN  1004-042X

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Archivist: Brendan Kehoe
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Coop Eitidor: Etaoin Shrdlu, Senior

CONTENTS, #5.58 ( Aug 4 1993)
File 1--An Apology to Joel Garreau
File 2--The Complexity of Issues in the AIS BBS Affair
File 3--Virus distribution

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The
editors may be contacted by voice (815-753-6430), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG
WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020
CuD is also available via Fidonet File Request from 1:11/70; unlisted
nodes and points welcome.
EUROPE:   from the ComNet in LUXEMBOURG BBS (++352) 466893;
          In ITALY: Bits against the Empire BBS: +39-461-980493

ANONYMOUS FTP SITES:
  UNITED STATES:  ftp.eff.org (192.88.144.4) in /pub/cud
                  uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud
                  halcyon.com( 202.135.191.2) in /pub/mirror/cud
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud
  AUSTRALIA:      ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
  EUROPE:         nic.funet.fi in pub/doc/cud. (Finland)
                  ftp.warwick.ac.uk in pub/cud (United Kingdom)

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: Wed, 4 Aug 1993 21:18:55 CDT
From: Jim Thomas <cudigest@mindvox.phantom.com>
Subject: File 1--An Apology to Joel Garreau

In CuD 5.57, we published a response to Rep. Edward J. Markey's letter
criticizing AIS BBS. We indicated that Rep. Markey's staff based the
letter on the Washington Post article by Joel Garreau.  We also argued
there, and in CuD 5.51, that the Post article raised serious questions
of journalistic ethics, primarily because of the use of citations by
an "anonymous" informant and by an identified informant who were the
same person.

Some readers apparently, and mistakenly, believed that we were
implying that Joel Garreau was unethical. As author of the response,
this was categorically not my intent. As I (and other critics of the
Post article) have stated explicitly, Joel made a conscious effort to
be balanced and to present the facts as they were presented to him.
Many of us consider Joel Garreau one of the more responsible
journalists covering cyber-issues, and he has consistently displayed a
willingness to learn and a meticulous concern to "get the story
straight." I have both personal and professional respect for Joel, and
I regret any ambiguous wording that might have suggested otherwise. I
apologize to Joel for any impression that his own integrity was called
into question.  It wasn't.  To challenge what may be common practices
in no way implies that the practitioner is necessarily guilty.  Airing
media practices is not intended to cast blame, but instead to raise
issues of how images are created through the visual or ASCII symbols
of a given medium.  One can object to a message while simultaneously
respecting the messenger.

The broader issue in media coverage of cyberspace issues lies in
general media formatting and how all reporters shape images. As
suggested in CuD 5.51, this probably reflects a style of journalism
practiced by conventional media.  Some reporters, including Joel
Garreau, John McMullen, John Schwartz, Joe Abernathy, John Markoff,
and a few others, provide balanced and often sympathetic coverage of
computer-related issues. Often, however, there is room for honest
disagreement over an "angle," and choice of facts. Less-experienced
reporters seem especially prone to looking for a sexy or dramatic
angle that will stimulate public interest. Lack of public familiarity
with computer technology and related issues requires simplification
and an occasional bad metaphor. These, in turn, influence legislators
(as in the Markey letter), media hyperbole, and distorted information
that re-inforce the image amongst law enforcement and the public at
large that pernicious dangers lurk beneath the techno-culture of BBSes
and the Net. We will provide a few examples of such coverage within
the next week or two.

At stake in all of this is the battle over images and the power that
symbols possess to stigmatize and control certain behaviors that, when
occurring in "real space," are Constitutionally protected. "Bad images
lead to bad law," so this is not simply a quibble over preferred
images, but rather a debate and battle over which rights shall (or
shall not) be extended to cyberspace.

------------------------------

Date: Mon, 2 Aug 1993 22:31:44 CDT
From: Paul Melka <no@internet.address>
Subject: File 2--The Complexity of Issues in the AIS BBS Affair

((MODERATORS' COMMENT: Although we have frozen the discussion of
specific personalities in the AIS BBS incident, Paul Melka's response
is a thoughtful and in-depth response that focuses on issues. Paul's
theme is that the complexity of issues offers no easy answers. Paul
Melka is a security analyst in Baltimore)).

+++

(Open Letter to Paul Ferguson)

Paul,

You and I have talked a number of times in FIDO and I have met you
before during the "first" International Computer Virus Conference
sponsored by the ICSA in Washington in late 1991.  I have been
following with interest the developments that have occurred with the
Bureau of Public Debt's Automated Information System BBS.  As a
Security Analyst, I feel that I need to clarify some thoughts from my
perspective as a user of AIS.  I will quote you as appropriate,
without quoting a ton of other background information.  The quotes are
from your responses to Cory Tucker on June 24, to All on June 26 and
Frank Tirado, through Aristotle on July 15.  I have also quoted
selected portions of your response to CuD 5.51 that appeared in CuD
5.52.  Again, my opinions are my own, for whatever they are worth.  I
debated long and hard, whether to just drop this completely, but I
feel that its important that people see a different perspective of AIS
and what Kim was trying to accomplish.


PF> Although I'm a proponent of the "free-virus-exchange-is-akin-to-
PF> Typhoid-Mary" train of thought, let's examine, for a moment, both
PF> sides of the argument.
PF>
PF> Pro Vx
PF>
PF> o Individuals in favor of Vx claim that they have seen no evidence
PF>  that virus exchange systems have contributed to the spread of viruses.

Actually, I believe that Vx boards have _definitely_ aided in the
spread of computer viruses, both by allowing the spread of live
viruses and by providing the knowledge to create new viruses.  In the
case of the AIS, it provided about 32 files containing viruses, as of
late April, some of which had descriptions such as "Source code for 51
viruses".  Adding all these together comes out to less than 160
_total_ disassemblies.  Almost two years ago, David Stang asked you
during a discussion how many viruses you have and you answered over
900 viruses.  I would assume that this number has more than doubled
for you.  The reason that I point that out, is that proportionally AIS
had no live viruses and very little source code.  The source code
itself was provided as a sampling of virus disassemblies.  The great
majority of people, both Anti-Virus and Pro-Virus would consider such
a collection "lame".  These viruses would not be any reason for even
"wannabee" virus writers to contact the board.

Yes, there were other files on the board, such as the virus generators
VCL and G-squared, as well as the MtE and TPE encryption engines.
These may have been far more attractive to "wannabee" virus writers
and _might_ have been a misjudgment on Kim's part to make these
available on the requested access area of the board (no one had access
to the Underground files without directly requesting it).  Personally,
I don't feel that it was a mistake because having access to these
files alerted me both to their strengths and weaknesses.

PF> o Proponents of virus exchanges claim that by making viruses and
PF>  disassemblies available to their users, they are providing them
PF>  with the tools necessary to understand how computer viruses work.
PF>  Similarly, once this information is understood, they also claim that
PF>  it contributes to the overall enhancement of the computer security
PF>  knowledge-base of their users.
PF>

I believe this to be a true statement.  Yes there are risks involved,
but the bottom line to me is that if you catch one new virus from this
information but are able to prevent 100 attacks from the information
that you gained from that same source, the information is justified.
Neither you nor I are in any position to determine whether more good
or bad came directly from AIS.  In fact, your echo VIRUS_INFO has had
the telephone numbers for various Vx boards posted in it.  As
moderator, you can only re-act rather than act to prevent this, and I
don't believe that your echo should be shut down because it provides
this type of information on a regular basis.

PF> o Many advocates of Vx systems claim that attempts at stemming the flow
PF>  of computer viruses is an idealism that should be protected under
PF>  freedom of expression and freedom of information concepts.

I feel that what I or you or anyone else do on our own personal
computers is our own business.  As you mention in a post, when that
starts to impact other people, then I give up my freedom as an
individual to the freedom of society to have as safe a computing
environment as possible.

PF> Con Vx
PF>
PF> o Figures reflected in statistics compiled by all of the computer
PF>  security and antivirus organizations show a dramatic increase in the
PF>  number of computer viruses in the past three years. Since Todor
PF>  Todorov's Virus eXchange BBS, which was the first of its kind in the
PF>  world, the number of "underground" systems which mimic the
PF>  activities of Todorov's system has risen. Sara Gordon has documented
PF>  quite a bit concerning the impact of these systems; I'd recommend
PF>  her paper(s) on the subject which she has presented on several
PF>  occasions. <vfr@netcom.com>

As mentioned earlier, I think that this is true and don't argue the point.
But I do not accept your argument that AIS was a Vx board, just because
it had a handful of virus disassemblies on it.

PF> o Viruses and disassemblies which are made available on these systems
PF>  are a potential danger.  While live viruses present a more immediate
PF>  threat in the wrong hands, disassemblies can be considered even more
PF>  of a danger in most cases because of their ability to be easily
PF>  modified, recompiled and redistributed as undetectable variants of
PF>  existing viruses. These instances have happened with increasing
PF>  frequency and can be directly attributed to Vx systems and virus
PF>  creation groups such as Phalcon/Skism, YAM, NuKe and ARCV.

Yes they do represent a potential danger, just by the very nature of
Vx boards encouraging each other with who has the most viruses in their
libraries (even though in many cases, there are quite a number of phony
"viruses" just used to get access to other files).

PF> o With the availability of virus creation "kits," such as the VCL,
PF>  PS-MPC and the G-squared, even "wannabe" virus writers with little
PF>  or no skill at all can make viruses and distribute them at their
PF>  leisure.

Agreed.  Yet they also provide a valuable learning tool to people like
myself who go beyond what the job requires to really attempt to learn how
viruses work and how to best protect against them.

PF> o While it should be realized that this type of activity cannot be
PF>  stopped completely, we must acknowledge the fact that Virus
PF>  exchange systems _do_ contribute to the spread of viruses. Virus
PF>  exchanges _do_ contribute to the propagation of new and undetectable
PF>  viruses. Access to live viruses and disassemblies are not necessary
PF>  for gaining knowledge and understanding how they work. A basic
PF>  understanding of assembler language and some practical examples,
PF>  including pseudo code, would suffice.

There are an incredible amount of people in the security field of
which you and I who are part who don't even need that much
information!  They will do their research and choose whatever virus
protection PC Magazine recommends for this year (Central Point
Anti-Virus and Norton's Anti-Virus).  You mentioned in one of your
posts that you have been doing virus disassemblies since they first
came out.  Why?  Only you can answer that.  In my case, I want to
understand exactly how these things work.  Have I succeeded?  No, not
by a long shot.  There are too many things going on in the security
field besides viruses that take up my time.  I did get my company to
allow me to set up both a stand-alone computer and a small LAN for
virus research projects.  Both these systems are in a locked room with
passwords on the systems.  Both these systems do not have viruses on
them, except when I am specifically testing a product against live
viruses.  I also volunteered to assist with the International Computer
Security Associates' volunteer Virus Field Researcher program.
Unfortunately after only a few months the program fell apart.  I don't
want viruses to infect my company or computers that I am responsible
for, yet at the same time, it is very important to me that I
understand the inner workings of a virus as well as I can.  I have had
people say too many times, just illustrate it with pseudo code, yet
for each of those times, I have heard three times as many people say,
"I'm not going to give anyone any examples or pseudo-code, because it
might give a virus writer an idea."  I believe that the knowledge of
viruses that I have gained has made me a better security analyst.

PF> Can there be a common ground on this issue? Probably not. The computer
PF> virus arena is filled with complex and diversified idealisms on the
PF> subject. I consider myself a proponent of freedom of information, but
PF> I also believe there are limits to one's freedom.

I feel that AIS was helping to provide that common ground, just as
ComSec is.  I honestly do not believe that the information on AIS was
of any real interest to any virus "wannabees".  I think it was much
more of an information exchange area for security professionals and
the only benefit that the virus writers were getting out of it, was
that they could say that one of their text files was posted on a
Federal board.

PF> ... In other words, one's right to a particular freedom
PF> ends where it infringes on someone else's rights for safety or
PF> privacy, in this instance.

I agree with this as I said earlier.

PF> And the government should certainly not
PF> allow systems which participate in these type of questionable
PF> activities to function within their realm of responsibility. Simply the
PF> appearance of government sponsorship tends to lend some form of
PF> legitimacy to the activities in question.

But as you may have gathered, I strongly disagree with this statement.
Can you tell me where I can legitimately get this type information
except from boards such as AIS or ComSec.  Personally, I would be
willing to submit to whatever requirements there would be for this
access.  The problem is that I am not an anti-virus vendor or a
full-time researcher.  I am just someone who is trying his very best
to understand and deal with the computer virus problem.  And I feel
that AIS has helped greatly with that understanding.

PF> Proponents of virus exchanges remain unconvinced that making live
PF> viruses, source code and disassemblies available endangers end-users.
PF> I'm convinced that not all instances do cause damage, but I'm also
PF> convinced that many times, it has done exactly this.

I'm also convinced that _not_ all instances do cause damage, and I believe
that AIS was one of those instances.

PF> In the case of the AIS BBS, it was operating under the auspices,
PF> whether explicitly or implied, of a Federal Office, namely the US
PF> Department of Treasury. The point in all of this is not necessarily
PF> what AIS did, but rather, how it was done and the apparent moral
PF> "high ground" of legitimacy it portrayed by being an apparatus of
PF> a United States Government office, financed (in part) with taxpayer
PF> money.

The point was that it was being operated as a _security BBS_ not a
Vx BBS.  The files that were on there were common viruses that were
"ancient" in CyberSpace time.  The fact that the government, or the
Bureau of Public Debt was providing the service is really besides the
point.  Maybe the FBI or the Secret Service should have provided that
service.  They certainly accessed it.  They were also certainly aware
of it!  But did either of these groups try to shut it down?  No, it was
shut down because of public perception in Risks forum that tax payers
money might be used to sponsor a Vx board.

PF> I admit that I am dismayed that people do not see the problem here.

If the government was really sponsoring a Vx board, I could see your
point, but again it was a board for _security_ people to gather
information and to interact with hackers.

PF> After this knowledge was made public, many questions surfaced,
PF> including under what authority did Clancy operate a system with
PF> implied blessings of the Treasury Department? I'd venture to say
PF> that the Secret Service (remember Gail Thackeray?) frowned on this
PF> rather heavily.

If they frowned on this so heavily, then why did you have to get
involved to shut it down?  I'm sorry, Paul, but I don't think the
pressure came from within, because those people could see the benefit
of AIS.  I think the pressure to shut it down came from the
unreasonable, yet too often justified, fear of what the public might
think.

PF> I certainly claim no "moral high ground" on the issue. I took what I
PF> thought was the best avenue of approach, which was to bring this topic
PF> out of the shadows and into the forefront for discussion.

And this was _the_ most nagging question in my mind.  Why post
anonymously?  Your feeling have been widely known on these issues for
a long time and posting anonymously really took away from that.  I
_do_ very much respect the fact that you took actions that you felt
must be taken, but I do have to question your methods.  I feel that
the results would have been exactly the same if your English contact,
whether it be Dr. Solomon or not, would have posted in Risks in almost
exactly the same way, asking why as Americans we allow our taxpayers
money to be used in this way.

PF> Unfortunately, the discussion was brief and the actions behind the
PF> scenes were apparently swift. Also, the assumption that Alan Solomon
PF> originally forwarded the BBS capture log is pure conjecture.

But still might be true!

PF> In an ideal world, we all share the freedom to express our concerns
PF> and ideas in an open forum. Although I may not agree with what you may
PF> say, I would give my life for your right to freedom of expression.

I'm not sure you understand exactly what you just said - because it really
is up to each individual to protect their own rights and yes like you I would
fight for those rights.

PF> However, let's not confuse concepts of freedom of expression and
PF> reckless computing.

Again, in the case of AIS, I don't believe that reckless computing was
involved at all.  It was more so a matter of Kim wishing to share
information that she had found beneficial to her with other people in
the security field.  There was no financial gain to Kim to make this
information available.  She could have simply kept everything that she
learned to herself and none of this would have happened at all.  But
hasn't it been said over and over again that "Truth will set you
free."  I believe that.  And if you just look at some of the
outlandish claims by some AV packages, you have to wonder where the
truth is.

PF> Mr. Corey Tucker sent an "advance" copy article written by George Smith
PF> (aka Urnst Kouch) which implied several items which were conjectured and
PF> seemingly allusions. I posted a prior response, but additionally, I'd
PF> like to post an article also written by Kouch which outlines Clancy in
PF> the CRYPT newsletter #13, in which more altruistic mentalities are
PF> discussed. I believe this is valid; it reflects the entirety in which
PF> this whole fiasco existed.
PF>
PF> Additionally, I am also posting the Washington Post article, in its
PF> entirety, for information purposes.
PF>
PF> If the truth be known, Mr. Smith did the most damage to Kim Clancy's
PF> underground organization (and BBS) than anyone who may have followed, by
PF> the publication of this very article.

Certainly the fact that AIS was mentioned in both CuD and the Crypt
newsletter may not have been in the best interest of the AIS, especially
in the eyes of the general public.  Both these underground magazines,
although in some cases talking about how the Federal government had virus
disassemblies available, were really focusing on the fact that this
information was being provided to improve security, to aid in virus
protection and prevention and to promote an exchange of ideas with both
"hackers" and security professionals.

PF> No need to call this number, it ain't there anymore. Not only did Mr.
PF> Smith (Kouch) nail Clancy's coffin, he enabled others to do so on his
PF> behalf.

Actually as you mentioned in a later post, you accomplished exactly what
you wanted to - you shut down the underground files on AIS.

PF> Mr. Thomas (and readers of CuD),
PF>
PF> While my first instinct was to not post any response to your
PF> scathing series of highly volatile articles (albeit, on a highly
PF> volatile subject, Cud 5.51), I reconsidered after a colleague
PF> reminded me that, unfortunately, silence on my part may be
PF> misinterpreted as some form of admission of guilt. I do regret
PF> that this instance has created such a stir, but I do not apologize
PF> for the attention brought upon the AIS system which ultimately
PF> resulted in the removal of commented virus disassemblies from
PF> public access.

If the only thing that was lost were the virus disassemblies, the
loss would have had little or no impact on anyone.  Most of the
information that I gleaned from AIS was in the various underground and
aboveground electronic magazines, such as CuD that will no longer be
available on the board.  Also the "hacker files" on Unix and Novell
security were very useful to me to give me a focus on potential problems.

PF> Without launching into a dissertation about the harm caused by
PF> virus code (both compiled executables and reverse-engineered
PF> disassemblies), I would like to make a couple of points which are
PF> commonly taken for granted or disregarded altogether.
PF>
PF> The debate will obviously continue on virus eXchange systems,
PF> which name they have been given due to the availability of virus
PF> disassemblies, creation tools and the likes. (All of which were
PF> available on AIS.) I get the distinct impression that we have not
PF> heard the last on this topic. Far from it, I'd wager.

If AIS were actively trading in viruses I would consider it a Vx, but
because it has some "sample" disassemblies on it, I would hardly call it
a Vx board.  More current were the various underground magazines which had
both virus disassemblies in them as well as debug scripts.  Yet, in my
opinion, these magazines were the most informative to me in understanding
how computer viruses work.  Since these magazines were so readily
available, signature strings were almost immediately incorporated into the
latest virus scanning software.

PF> On one hand, we have those who argue that virus exchange (Vx) BBSs
PF> do not further the spread of viruses and efforts to curtail their
PF> activities are akin to stifling freedom of expression and the flow
PF> of information. On the other hand, we have those who argue that Vx
PF> BBSs most certainly aid in the spread of computer viruses simply
PF> because they allow live computer viruses, source code and
PF> disassemblies to be freely exchanged as would youngsters trade
PF> baseball cards.
PF>
PF> However, baseball cards do not inflict damage, but many times
PF> viruses do exactly this, in the hands of an unwitting or
PF> inexperienced computer user.

Many things that someone might collect are potentially harmful, the
point is what is done with them.  Vx BBSs have both their good and
bad sides and I don't think that anyone would argue that having full
download privileges on the first call to a Vx board is curtailing the
spread of viruses.  (Well, maybe _someone_ might!)

PF> To briefly address some selected points made in Cud 5.51:
PF>
PF> Jim Thomas writes (in File 1 -- Introduction to the AIS BBS
PF>  Controversy) -
PF>
PF> "Perhaps the anonymous accusers are correct: Some types of
PF> information may pose a risk if abused. But, in an open democracy,
PF> the potential for abuse has been neither a necessary nor a
PF> sufficient justification to silence those with whom we disagree."
PF>
PF> I am flattered that you suggest I actually have enough clout to
PF> personally silence AIS, if that is the gist. I took the liberty
PF> of making it public knowledge, while concurrently voicing _my_
PF> opinion about its merits. This street goes both ways. Most of us
PF> are painfully aware of the numerous virus underground systems
PF> around the world, yet the attention is focused on a solitary
PF> system run by an employee of the U.S. Treasury Department. Why is
PF> that? I suggest that most who squeak the loudest in opposition
PF> to my anonymous (hardly) posting are either a.) not familiar with
PF> the amount of damage, in both manhours and dollars, caused by
PF> computer viruses each year, b.) overly radical proponents of
PF> information exchange who care not what damage may result in said
PF> exchange, or c.) banging their drum just to bang their drum.
PF>
PF> (Please note the use of the word "most" in the statement above.)

Thanks for giving me the "most" option, because I honestly do not feel
that I fit into category A, B or C.  Throughout this letter I hope
that I have adequately expressed my feelings that AIS provided a
positive impact in the fight against computer viruses.  I am very well
aware of the damage viruses can cause in both hard and soft dollars, I
do not believe that all information should be free - certainly there
are very individual things such as credit history, medical history,
etc. that are becoming far more free than I would care for.  And I
hope that no one feels that I am just banging my drum, just to hear
the hollow sound it makes.  I am trying to honestly express my
personal opinion to give all of us the chance to stretch and grow.

PF> Jim Thomas again writes (in File 6 -- Media, Anti-virus
PF>  personnel, Ethics, and AIS) -
PF>
PF> "Let's keep some facts straight. 'Mr. Smith (Kouch)' did *not*
PF> 'nail Clancy's coffin.' Paul Ferguson and his friends did with
PF> anonymous inflammatory posts and with other posts that
PF> irresponsibly suggest illegal and 'underground' activity."
PF>
PF> I'll address this directly, since it is obviously your opinion,
PF> not fact, as you seem to imply. In fact, I think you should have
PF> used "opinionated" instead of "inflammatory," but that is your
PF> prerogative. I find it odd that after so much "underground"
PF> exposure as was afforded AIS in the months preceding my
PF> "anonymous" post, not an eyebrow was raised. Perhaps Kouch's

Paul, again I'm not sure where you are coming from.  In one breath you
say that your actions were not responsible for AIS losing its
underground files, yet on the other hand you mention that no other
response was made to the various underground articles about AIS (as
well as aboveground articles in newspapers such as LAN Times).  Your
anonymous post was almost directly responsible for the current state
of AIS and since that is exactly what you wanted to accomplish, why
not just accept that?

PF> publication is truly "underground" catering specifically to
PF> hush-hush underground circles of computer vandals? I don't
PF> think so. Perhaps Cud is truly an "underground" publication?
PF> I think not. So where's the beef?
PF>
PF> One "anonymous" post, strategically placed razed the house of
PF> cards.
PF>
PF> Mr. Thomas makes one excellent point, however, in the midst of
PF> the remaining text -
PF>
PF> "It's said that some people, angered at this affair, are planning
PF> to retaliate against those judged responsible. This would be an
PF> ethically bankrupt response."
PF>
PF> At least we can agree on this point.

I agree as well.  What is done is done.  And even if you went to the
Bureau of Public Debt yourself, they would not allow the underground files
to be posted again on their board.  Only time will tell whether your
actions were positive, as you believe, or negative.

PF> One final note, for what its worth. I did not post the forwarded
PF> article to damage Clancy's reputation or to prove any particular
PF> political point. Personally, I have nothing to gain by the
PF> results. I do not foolishly sally forth and and do someone else's
PF> bidding in hopes of gaining favor. I do not publish software
PF> which would be directly or indirectly beneficial to myself,
PF> especially anti-virus software (I have done extensive work in
PF> assembly and have reversed-engineered viruses since their
PF> appearance, however). I posted the article because I believe
PF> it is a conflict of interest for any governmental agent to
PF> openly make viruses and disassemblies available, regardless of
PF> intent.

I realize that you were acting in what you felt were everyone's best
interest, but I also feel that there is nothing wrong with our
government making information available to help protect our computer
systems - and I believe that is what AIS was doing.  You can learn how
to make a nuclear bomb by going to the library, but you need the
intelligence and materials to actually build one.

PF>If only one instance of damage resulted directly from the
PF> virus-related material available from AIS, then that is one too
PF> many and I would happily rest my case.

Yet, what if the knowledge shared by AIS enabled more and more people,
like myself or Frank Tirado, to better educate our users and to give
them the knowledge of what to do if they discover a virus.  I have
seen more damage caused by user ignorance (meaning lack of knowledge),
than most actual viruses once they are detected.  Did you ever have a
client who thought they might have a virus but didn't want to bother
you, because they might be wrong.  Those are the people that we need
to educate - in virus protection, prevention and recovery.  It is not
a safe computing world out there and all of us need to do whatever we
can to make it safer.

PF> What happened to the hacker ethic? I seem to recall a "no damage
PF> clause" which still echoes in my mind, especially with the advent
PF> of this fiasco. "Damage?" "Damage," you say, "What Damage?" "AIS
PF> only made it available -- they're not responsible for what is
PF> done with it!"

In my personal opinion, I would be very surprised if there is any
damage that could be traced either directly or indirectly to AIS.  But
I would think that there are a lot of people that can directly trace a
great deal of benefit from it.  Again that is only my opinion and neither
you nor I can really prove otherwise at this time.

PF> Now that I think about about it again, I'm really "not sorry."

I didn't think that you were and that's why I've taken the time to
write these responses.  I felt that even though you may not agree with
everything that I have said, I still had to express those feelings.

PF>
PF> An Open Letter to Mr. Frank Tirado
PF>
PF> In order to adequately address your concerns, accusations and
PF> opinions, I have also included quotations from your last message,
PF> preceded by angled brackets (">"), as is customary with most
PF> netspeak.
PF>
PF> > Message from Paul Ferguson to Cory Tucker:
PF>
PF> > "....I find your posts rather humorous, yet at the same time
PF> > offensive. If Mr. Tirado wishes to confront the issue himself,
PF> > I'd suggest he do so. His absence here in Fidonet or Usenet
PF> > somehow diminishes his credibility. In the meantime, please
PF> > refrain from posting such drivel....."

Paul, most of your posts appear to be very well thought out, but
whether someone is on the FidoNet or UseNet, really should not
diminish his credibility.

PF>  I'd like to specifically address each of your points and present
PF>  contrary opinion.
PF>

PF>FT> o   Closing down the AIS board eliminated a major avenue for
PF>FT>     the propagation of viruses........  Oops!  My imagination
PF>FT>     ran wild for a moment.  You and I both know that not the
PF>FT>     slightest dent has been made in the flow of information
PF>FT>     which you and your cohorts find so objectionable.
PF>
PF>  I apologize, Mr. Tirado -- I do not know that and frankly, nor
PF>  do you. This statement is purely conjecture and you could not
PF>  know possibly otherwise. Your sarcasm is evident. However, I
PF>  disagree implicitly. As I stated in my response (which I have
PF>  submitted to Jim Thomas for inclusion into Cud 5.12) to CuD,
PF>  if even one incident of modified virus propagation resulted
PF>  from the availability of viruses on AIS, then my action was
PF>  warranted, in my own opinion. However, it is obviously a
PF>  rhetorical point because once the files were obtained, no one
PF>  can gauge the possible damage which may have resulted in these
PF>  instances.

The point being that no one can know either the beneficial or negative
impacts that the virus disassemblies on AIS (not viruses) have had on
all of us.  I personally believe that if there was any negative
impact, it was outweighed by the knowledge gained and shared by those
thousand plus users of the board.  But that is really just my own
opinion.


PF>FT> o   Now the virus boards cannot point at the AIS board and
PF>FT>     say: "If they're doing it, why can't we?"  I'll grant
PF>FT>     you this one, but I really can't see virus boards using
PF>FT>     this defense very successfully, should it ever come to
PF>FT>     that.
PF>
PF>  Then you obviously have not been observing the activities of
PF>  underground vX (virus exchange) systems since their inception. I
PF>  have, and I have watched trends develop. For example, the major
PF>  Vx systems have been (and still are) run by members of virus
PF>  creationist groups such as Phalcon/Skism, Nuke and Trident.
PF>  These groups are directly responsible for escalating the sheer
PF>  number of viruses by creating new, undetectable variants of
PF>  existing viruses and creating virus creation tools. This is
PF>  unacceptable, yet you seem to condone this behavior...
PF>

Paul, are you saying that you are a frequent visitor to Vx boards?
Personally, I don't have any problem with that at all, because I
believe that any interest you would have in the Vx boards would be
used to increase your knowledge of viruses and their functions and to
improve security for all your clients, and others through your posts
on Virus_Info.  I am not saying this sarcastically at all.  We should
all be willing to learn from many sources, not just those that are
deemed "appropriate".  I don't think anyone can deny the impact groups
such as Phalcon/Skism, Nuke and Trident have had on the virus world.

PF> > o   Those individuals who could "legally" (there was nothing
PF> >     illegal about any information obtainable through the AIS
PF> >     board) obtain useful and pertinent information from the
PF> >     underground will now probably gravitate towards hacker or
PF> >     virus boards.  You think not?  Let's wait and see.....
PF>
PF>  "Nothing illegal?" At least not yet, obviously. Unethical? That
PF>  is subjective opinion. (I consider it unethical, but as I stated
PF>  above, this is purely subjective.) We shall "wait and see," as
PF>  you've suggested, however, do not expect us to simply dawdle
PF>  idly while these activities are being conducted in real-time.
PF>  Legislation will be introduced in the coming congressional
PF>  session which would outlaw these activities. (Refer to
PF>  Computerworld article, "Virus vagaries foil feds," July 12,
PF>  volume 27, issue 28 for further information.)
PF>
PF> > Your statement that my "absence here in Fidonet or Usenet
PF> > somehow diminishes (my) credibility" is ludicrous. In other
PF> > words, I'm outside of your control so my opinions don't count.
PF>
PF>  On the contrary, Frank. Your opinions are equally as important
PF>  as anyone else. By my statement above (hopefully you can gauge
PF>  the sentiment), I simply do not indulge myself to be duped into
PF>  responding to 2nd party posts in FidoNet -- it is too easy to
PF>  forge. While Fido is near and dear to my heart, there are
PF>  certain aspects about Fido messaging which are rather dubious.
PF>  Your message, while intelligent and forthright, was presented by
PF>  a second party; in this instance, I had my doubts as to its
PF>  authenticity.

A reasonable precaution, since there have been numerous posts from
various people pretending to be other people.  It was actually
refreshing to see you treat this post as a valid post by Frank Tirado.

PF>  This is perhaps the most offensive of your statements. I am told
PF>  that you are a systems security analyst with the Department of
PF>  Agriculture. I do not recall seeing you at any computer security
PF>  conferences, nor recall your participation in any antivirus
PF>  parlances. Do you have some hidden expertise in the antivirus
PF>  arena, or are you simply spouting opinionated idealisms?

Actually, Paul, I'm not sure what conferences Frank attended has to do
with anything.  As I started out with, I met you in November of 1991
in D.C. (don't worry that you don't remember me) and was going to be a
guest speaker at the cancelled conference in November of 1992 with the
ICSA's volunteer field research program.  I was also at the NCSA
conference in DC (IVYP '92), LAN SEC '93 and dropped in on InfoExpo
'93.  Unfortunately budgets are tight and I can't get to anywhere near
the number of conferences that I would like to get to.  I did meet
Frank for the first time in person at LAN SEC and saw him again at
InfoExpo, so I can at least say he was at these conferences.  But the
point is, I don't understand what _your_ point was.  There are only a
handful of recognized "experts" in the field and unless you are
willing to devote a lot of time to the process, it will likely stay
that way in the foreseeable future.  People like myself, don't need to
be an expert on every little aspect of computer viruses.  We don't
make our living dissecting the viruses and creating scan strings for
them.  But what we need to be able to do though, is to be able to talk
intelligently about viruses and how they work.  We need to be able to
provide a positive service to the companies we work with and to people
we meet.  Virus_Info has helped provide some of this information, so
did AIS.  There are a great many security professionals out there that
are just trying to do the best job that we can, and unfortunately
product vendors are often not the best resource for information.  You
have to weigh the information from a number of sources, both good and
bad, then make the most informed opinion that you can.  If you only
look at one side of the coin, you will be cheating yourself and your
customers.

PF>  Mr. Tirado, what I may think has nothing to do with your
PF>  opinions, nor anyone else's for that matter. I have watched as
PF>  virus exchange systems have become the rave, and have absolutely
PF>  contributed to the spread and distribution of viruses, both
PF>  known and contrived. In the matter of AIS, I was outraged that a
PF>  government sponsorship was participating in these same
PF>  activities as other virus eXchange systems.

If you were outraged, you were right to express those emotions.  As I have
mentioned many times, I do not feel that AIS could be dumped into the
category of Vx boards.  It was a board to provide security related
information.

PF> > I don't think so. I find it next to impossible to implicitly
PF> > accept the word of a group whose bottom line is the almighty
PF> > dollar. Besides, as a self-regulating group you guys can't even
PF> > police themselves. I obtained my first 20 viruses from a vendor at
PF> > the same conference where Peter Tippett first proposed not sharing
PF> > viruses. The implications should be "crystal clear", considering
PF> > the plethora live viruses and source code floating around with the
PF> > imprimatur of the major AV software developers.
PF>
PF>  I admit that the antivirus crowd has its share of prima donas
PF>  and is shadowed by the profit modus operandi. I am in no way
PF>  part of the group, either explicitly or implied. You obviously
PF>  do not know me.

I think that there are a lot of people that really don't know you!  I
still can't get over the time you posted that you were looking for a
new moderator for Virus_Info.  It put a human side onto you that few
people see electronically.  I do honestly respect your opinions, even
though I may not agree with all of them.  Most of the stuff that I
deleted out of here, I left out because either I agreed with what you
were saying or had very little objection to it.

PF>  As a final note, I respect your opinions, if that is of any
PF>  consequence. I have been a member of the cyberspace community
PF>  since the late seventies and I have witnessed many, many
PF>  changes in the culture of the nets. The one thing that truly
PF>  upsets me, however, is the reckless abandon with which computer
PF>  viruses are made available to anyone with a modem.

See above.  And yes sometimes it is very upsetting how easy computer
viruses are made available to anyone with a modem.  But it is just as
upsetting to see all these claims made by vendors that you will never
need another scanner or any other product.  There is as much in-fighting
among the AV people as there is among the virus writing groups.

PF>  I have spent countless hours and dollars cleaning up computer
PF>  viruses from countless workstations and LANs. The financial loss
PF>  on the part of these companies is mind-boggling. While you decry
PF>  the freedom of folks to freely exchange potentially damaging
PF>  "information," at least keep this in mind.
PF>
PF>  To quote you in CRYPT #16,
PF>
PF>   "Too my mind, the AIS BBS was one of the best applications
PF>    of my taxpayer dollars," said the USDA's Tirado angrily
PF>    during an interview for this story. "The spineless curs!"
PF>
PF>
PF>  My actions were neither spineless nor uncalculated. I have done
PF>  what I intended to do. Private virus distribution systems are
PF>  next on the agenda...

Obviously, I had no problem with my taxpayers dollars being used to
help support AIS!  And I have also spent far too many hours and
dollars cleaning up viruses from workstations and LANs.  I think there
are a lot of people in the security field, who would like to see it
all just end.  But the thing that keeps sitting in the back of my mind
is that you said you would be willing to die for my freedom of
expression!  I don't want you to die, but what I also don't want to
lose is the right of a person to code a virus on his or her computer!
There have been laws passed against alcohol and laws passed against
pornography and many, many other laws.  And I _now_ believe that there
will be some kinds of laws passed against computer viruses, but I hope
that these laws are laws of responsibility for actions, not laws for
what each person does with their computer.  I understand that
deliberately infecting another individual with a virus is against the
law and maybe in the future the posting of computer viruses on _any_
type of BBS might be regulated with various controls, but as I
overheard Dr. Solomon say once, "As an Englishman, I am constantly
amazing how willing Americans are to give up freedoms that they fought
so hard for just two hundred years ago."  I don't know if that was the
exact quote, but that was very close to it.  I hope that we are not
once again giving up another freedom because of fear.

------------------------------

Date: Thu, 22 Jul 1993 09:41:25 -0400 (EDT)
From: "Paul R. Coen" <PCOEN@DRUNIVAC.DREW.EDU>
Subject: File 3--Virus distribution

Someone recently implied that distributing virus code may soon be
illegal in the United States.

"This is a difficult issue."  I keep hearing that.  No, it isn't --
not in the United States, at least.  Sure, *maybe* laws can be passed
to prevent distribution of virus source code via a BBS.  I'd love to
see someone try to pass a law preventing a printed publication
distributing source code.  Since the virus code itself, on a page, is
not harmful, you really can't make a case for banning it.  Especially
since a good case could be made against such a law being an exercise
in "prior restraint."

Not harmful?  No.  Not sitting on a page.  Or even in a text file on a
computer.  It hasn't been turned into anything harmful.  It isn't a
direct threat.  The threat comes from the fact that it is information
that could be used to make something harmful.  There's an awful lot of
information out there that falls into that category.

Who really uses source code?  There aren't that many virus writers out
there, and source code has been around for a while.  I would guess
that much of it is aquired by the curious -- people who have heard
about viruses, want to see what it looks like, etc.  They'll probably
never write their own.  They may never even assemble the ones they
get.  Who else gets it?  Technical staff who need to know what a virus
does in order to figure out what level of panic they need to instill
in their users over a particular outbreak.  In other words, you can't
assess a threat unless you know what a virus does.

In that case, you have a few choices -- find good, accurate
information on what the virus does (difficult), disassemble it
yourself (tedious and time consuming), or find a cleaned-up
disassembly somewhere.  I'd prefer the latter.  I've had to do the
second more than once.

"Oh, but you don't *really* need to know.  Just remove it!"  Bull***t.
Making your users freak out over Stoned to the same degree that you
would want to panic them if they had something that was deliberately
nasty on their drives is just not what you want to do.  A sense of
proportion is required here, and that is what is so often lacking in
discussions about computer viruses.  Your users want to know what the
threat is, and unless you either a) lie and always say it is
destructive or b) shrug and say "I don't know," you need the
information.

Who else gets it?  Not too many of the virus writers.  They usually
have it already.  They have channels to sources for information like
this.  A lot of IS people don't -- and don't want to have to waste
their time making the needed connections, either.

This reminds me of Rep. Markey (is that the right spelling?  I can
never remember) going off about _2600_ at the hearings.  He didn't
seem to realize that a) _2600_ is pretty innocuous and b) a lot of the
subscribers are computer professionals who would like to know what is
going on so that they can protect themselves.  Vendors never give you
details, that's for damn sure.

Where am I coming from on this?  I was one of the people who dealt
with the first virus outbreak at Drew University, about 4 years ago.
Since then, I've managed to convince the school to site license
anti-virus software.  I've also had to deal with a lot more viruses.
And I've wasted a lot of time.  A good amount of that time, though,
would have been saved if there was detailed, accurate information on
viruses available, or if I could just get an already-done and
commented disassembly.  Not for something like stoned, but every once
in a while we get something kind of goofy that anti-virus software
can't deal with.  I want to know what it is, where it copies the
original boot sector to on the drive, if it has a payload, what's the
trigger, etc.  I've never written a virus.  Could I?  Yes.  Will I?
Probably not.  I don't have the desire or the time.

Stop trying to dictate what kinds of information are "good" and what
is "bad" in an area like this.  Unless this violates privacy (and I
would make exceptions for people whistleblowing on corporations or
criminal activities), I don't really have an ethical problem with it.
The information is there, and it is far more useful to try to teach
people to be responsible than it is to try to track down everything
that an irresponsible person could do damage with.  You don't teach
ethics by declaring some piece of knowledge taboo and trying to stamp
it out of existence.

------------------------------

End of Computer Underground Digest #5.58
************************************