Re: Implications of recent virus (Trojan Horse) attack


Everett Kaser (hp-pcd!hpcvlx!everett@hplabs.hp.com)
8 Nov 88 18:11:34 GMT


I would propose that there is a place (in our computer-network-society) for
persons attempting to write (non-destructive!) viruses. There is no better
means of protecting ourselves from destructive viruses than to be constantly
testing ourselves with non-destructive ones. Of course, there's two small
holes in this logic: 1) there may be a bug in your non-destructive virus
which turns it destructive, accidentally; and 2) non-destructive viruses may
not find all of the possible holes in the system, ie. a destructive virus
may get into the system in a destructive way, which a non-destructive virus
would never find.

I feel that the risk of hole number 1 is worth the benefits. If a few 100
people KNEW about these holes in the system that were exploited by the
recent virus, WHY WEREN'T THEY FIXED? Making a "game" out of non-destructive
viruses would have an anology to the military's "war games"; try testing
your strategies and tactics in a non-destructive way BEFORE getting into
a destructive situation, and hopefully, in that way, cut your losses.

Perhaps a university or some other organization could be set up as a
"clearing house" for virus tests. Something along the line of:
   1) John Doe thinks he sees a hole in the security system.
   2) John creates a program to exploit that hole (in a non-destructive way).
   3) John takes that program (along with appropriate documentation, to the
      "clearing house".
   4) The "clearing house" would review it for possible destructive behaviour.
      (This would not be 100% proof that destruction wouldn't occur, but
       would make the likelihood of it much lower, and provides a means of
       "licensing" the virus author to do the test without alerting the
       defenders (sys-admins) that the test is going to be run.)
   5) The test is run, and if successful, all systems will be tightened to
      avoid future use of the hole.
Remember, appealing to peoples sense of "morality" doesn't work. There are
always terrorists and anti-social people who will behave amorally. Either
we can strengthen our own defense, or wait for the terrorists to force us
to do it.

Everett Kaser
!hplabs!hp-pcd!everett



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT