Copy Link
Add to Bookmark
Report
Cris Vol 1 Issue 18
-----BEGIN PGP SIGNED MESSAGE-----
Submitted to Crisnews By:
James Lipshultz, Esquire
Computer Specialist/Computer Security Officer/
Computer Forensics Specialist
United States Federal Government, Law Enforcement Branch
- ---------------------------- Start of Article -------------------------------
"Treasury Department doing an excellent job on educating U.S. Government
Security Officers, Professionally jealous mystery person causes weak willed
government management to crumble at his vaporous words."
The actual headline in the Washington Post was: "Treasury Told Computer
Virus Secrets, Whistleblowers Halted Display Available to Anyone With
a modem."
Please, give me a break!
COMPUTER VIRUSES ARE A SECRET ONLY TO COMPUTER ILLITERATES!
The article in the Washington Post on Saturday June 19, 1993 was a
myopic, yellow journalistic piece designed to malign the reputation of Kim
Clancy who is an outstanding U.S. Government's Security Officer working
for the Treasury's Bureau of Public Debt., AIS Branch.
Washington's alternative newspaper, "The Washington Post", appears to
have been manipulated by Paul Ferguson (an apparent Anti-Virus Sycophant
Groupie) who supports and echoes the extreme self-righteous, pious,
whimpering of a coward who posted an anonymous message in the risks
forum which condemns the BBS run by the Treasury Department.
Ferguson's comments appear to mentored by a corpulent self serving British
Anti-Virus vendor whom I will refer to as possibly being Paul's
"Stromboli". (The Puppet Master in Pinocchio who makes the marionettes
magically dance.) +<|:)
The quote in the Post by Ferguson was incredibly muddled, obtuse, and
boorish. It is a globally known fact that in any debate analogy is not valid
because it has nothing to do with the subject matter. As a computer
consultant who thinks a computer virus is, as quoted in the Post,".... like
leaving a loaded gun around and people saying: 'It's not my fault if someone
picks it up and shoots himself in the head with it.'". Who are you kidding
Paul? Do you really think that source code is the same as a hand gun?
Viruses have no relationship to handguns at all. If this comparison was
valid, wouldn't it have been enjoyable to have heard that when the riots
broke out in South Central L.A., that the rioters held up store owners with
floppy disks containing virus source code in ASCII format or were seen
pointing printouts of virus source code. +<|:) If you need education in
computer source code versus handguns, allow me to direct you to the
nearest University for an education in computer programming, the NRA for
handgun enlightenment, and G. Gordon Liddy to learn how to correctly form
a sentence as well as use a handgun.
Is it ethical or moral for you to own the Trident Polymorphic Engine that
you got from a virus BBS? Do you consider yourself two-faced for
engaging in this practice of downloading viruses from virus BBS's?
Perhaps you should take a closer look at your own ethics before you venture
opinions about a respected security officer in the Federal Government.
Do you now see how ridiculous you sound? Do you believe that anyone
who owns virus source code is immoral or unethical? If so, then when does
it become ethical and moral to own source code?
Another statement by Paul Ferguson on computer viruses sounds like an
advertisement for an Anti-Virus (AV) vendor. "The potential for virus
damage has increased geometrically as big isolated mainframe computers
are abandoned in favor of networks of small PCs--some worldwide in
scope--through which the viruses can migrate. Because of the distributed
nature of the network, a virus can now reach thousands of machines,
requiring hundreds of thousands of dollars of man-hours to clean up once
infected.' "
Let's examine this statement. What is the basis of this statistical claim?
Is it real or is it Memorex? Hmmm...... Geometrically?.... Are you sure?
How about exponentially or is it linear? Maybe you should have said
"To obtain the proper potential for virus damage we multiplied the growth
rate based on The Theory of Relativity which we then divide by the Gamma
Factor, which, as we all know, is the inverse of the square root of one,
minus Planck's Constant divided by C squared, C being the speed of light
which as we all know is an absolute." Whooo Weee, next time baffle the
press with heavy duty BS, Paul. +<|:) <G>
On what type of network operating system does the situation you describe
occur? On networks with at least a C2 level of security? Is it because
everyone is allowed physical and write access to the server, or because the
System Administrator is a total incompetent or computer illiterate? Is it
correct to assume that most Sysops are so ignorant about viruses that most
networks are not running Anti-Virus software?
Paul, once again I think you have overstated yourself. I believe you should
have said:
"If a network sysop is a secretary with no computer skills and the network
has no security whatsoever and everyone on the LAN is allowed to bring
foreign software and execute it on the server, then a virus that is specific
to the network operating system has a chance of remaining undetected and
traveling."
(Notice I kept your sentence structure so that it would look like your
words.) +<|:) <Did you understand the symbol to the left yet? Get it, (Pope
Paul)> <G>
Coming in at a very close second in my hit parade of insipid comments was
Bruce Sterling, the author of the mostly dry and mildly entertaining "Hacker
Crackdown...Bla Bla Bla". Bruces's equally ridiculous quote appears to
have been made to get his vanishing name in print. He made virus source
code "the equivalent of how to commit arson, or hot-wire cars." Would you
be willing to submit to a drug test Bruce? Maybe you should return to
writing fiction since you have such a wonderful imagination. Would you
please cite the instances were a house was burned down and the fire
marshal attributed the cause to virus source code? Have you ever heard of
a police officer who said a thief has been starting cars with virus source
code?
I am so impressed by your brilliant quote: "Every maladjusted sociopath
with Coke-bottle-bottom glasses has no trouble finding this stuff. The
police are the only ones not allowing themselves to look at this stuff."
Wow, I'm having trouble understanding why you did not seek a career in
law enforcement. It is apparent that you would know the Bad Guys because
they are the ones with the close-set beady eyes.
Bruce, if maladjusted sociopaths exist, are there any adjusted sociopaths?
As a "professional" writer I would assume that your verbal and writing
skills to be better than most. May I make the following suggestion? Look in
the dictionary and learn the meaning of the word malapropism before you
write anything else. By your quote, are you saying that all sociopaths wear
coke-bottle-bottom glasses and thus have gravitated to fulfilling the quest of
the unholy grail by seeking out people with virus source code? Why not
type cast people by race? Take a good look at the people who code
Anti-Virus products. Some of them have thick glasses, though we both
know that they would never spread a virus? (Yea, Right!)
As for the police not looking at this stuff, I have to assume that you imply all
law enforcement officers, County, State, and Federal. Law Enforcement
knowledge regarding computer crimes is far better than you ever dreamed
and we do gather knowledge from virus BBS's. As a brotherhood, we share
knowledge to help fight the war on crime, so don't ever sell us short. It is
apparent that you are unaware of the skills of computer specialists in the
federal government, especially in federal law enforcement agencies.
I will give you credit for conveying the idea that Kim Clancy was very good
at her job, though you give it an edge that leaves one feeling that she is
brilliant but somehow demonically twisted. (Oh help me Obiwan, she is
succumbing to the dark side of the force.) :) Kim Clancy is a decent hard
working person who attained her knowledge and status by intense work and
study. She is respected because she knows, understands, and can articulate
computer security subject matter in a concise clear manner, something
beyond the ability of you and your ilk.
What you have done is to sensationalize an event that has been blown totally
out of proportion. Your choice of words is the type that sells publications
such as the Washington Post and the National Enquirer.
Do you understand why your comments are ludicrous? In the future stay
away from analogy and please take some courses in English before you
write your next book, or at least talk to Mr. Liddy. Dial 1-800-G-G-LIDDY
Monday through Friday, right after the lovely and talented Howard Stern. :)
I was further upset by the way in which the Washington Post sensationalized
what was on the board. Where, oh where, did the Washington Post get their
all their info? Mmmmm? "The board also made available hundreds of
"hackers' tools"--The cybernetic equivalent of safecracking aids. They
included "password cracker " software."...and Bla Bla Bla. Wow, wake
the kids, phone the neighbors, someone has a BBS with files that will hack a
password! (Uh-ohhh, Frankenstein is on the loose!) :0 Several things to
note here:
o Many companies make their living by selling software that returns
the password used in the proprietary scrambling of WordPerfect,
Lotus, Paradox, Excel and others.
o Also, there is software that takes a brute force approach to breaking
the password to PKZIP v1.1 encrypted files.
The article leads one to believe that the BBS had a piece of software
that could crack any type of encryption, possibly endangering National
Security.
The Washington Post should have specified what type of encryption
breaking software was available. Instead, the Post failed to inform
the reader that the encryption breaking files on the Treasury board
were nothing of any major significance. It's just that encryption
breaking sounds good and satisfies the tabloid readers
who have "inquiring" minds. :)
The catalyst that started this avalanche of Bravo Sierra (BS) appeared from
the Risks Forum. The article was submitted by a coward who refuses to
reveal his identity. I will restate his words and comment on this trash
directly from the RISKS14.58 which I downloaded from The Treasury's
AIS BBS. I will not use the direct quote from the Washington Post since
they omitted several sentences. (By the way, how can a publication put
quotes marks around a statement and then not have it reflect the exact words
that were actually written? Can you answer this Joel? Back to English 101
for you Joel.) I will put the Post's quote in CAPS that the reader can see
how it was edited. I will include my wonderful and insightful comments, in
parenthesis, where appropriate in the text.
"This text was forwarded to me by a friend and professional colleague in
the UK. I AM DISMAYED THAT THIS TYPE OF ACTIVITY IS BEING CONDONED BY AN
AMERICAN GOVERNMENTAL AGENCY. I can only hope that this operation is shut
down and the responsible parties reprimanded. I AM EXTREMELY DISTURBED BY
THE THOUGHT THAT MY TAX MONEY IS BEING USED FOR WHAT I CONSIDER UNETHICAL,
IMMORAL, AND POSSIBLY ILLEGAL ACTIVITIES."
... Insert screen captures from the menu of the Treasury's BBS here...
"I submit this text in an anonymous fashion for fear of reprisal. (COWARD!!!)
I respectfully request (lick, lick, kiss, kiss...my what a brown nose you
have Pinocchio.) that it be posted to both VIRUS-L and RISKS Digests.
I think the risks of Government sponsored virus exchange are crystal clear."
(To whom, Pinocchio?)
Who is this person who so frivolously throws such strong words around but
is to afraid to put his name to them? (Like we really don't have a clue, we're
so naive.) Mr. Anonymous also states that he is afraid of reprisals from the
Treasury Department. Does this person actually believe that the Treasury
Department engages in retaliation for negative comments to their polices
and procedures? The Treasury Department is staffed by some of the finest
law enforcement and non law enforcement personnel, who probably have
the finest morals and ethics in the Federal Government.
"Anonymous" used all the correct government buzzwords that will send any
meek GS management scrambling to cover their ass. The good old boy
alarm is activated, memos start to fly and the process of denying knowledge
of the activity begins. Weak willed government management cringes at the
thought of a memo with the words tax money associated with "unethical,
immoral, and illegal". Damage control is enacted and the weak kneed
management buckles under to the words of a ghost. What a shame that
Kim's BBS was so easily raped and reduced to mediocrity.
Peter Hollenbach's words were irresponsible and ill chosen. His first
mistake was to state that the Treasury Department had made a mistake
which they were scrambling to correct. It implied extreme ignorance on
management's part. The paragraph in the Washington Post stated: "The
Treasury Department has little idea who has dialed up the bulletin board,
and what has been copied out of it", said spokesman Peter Hollenbach.
"Hence it is impossible to judge if any damage has been done." Is this the
best you can do Peter? Where is your head making these outrageous
statements? You answer in the extreme negative and leave out the positive.
You should be fired for gross incompetence in handling damage control!
The Treasury Department definitely needs a person who will stand up for
its people and the Agency. Where the hell is your pride? Kissing ass of the
politically correct makes you sound like a roll over wimp and a poor liar.
I used the "I didn't know" excuse in grade school. Please ... be a man!
A strong willed, organized, management would have admitted that they
were aware of, and defended, Kim Clancy's actions. I believe the Treasury
Dept. AIS management should have publicly announced that they were
putting her up for a performance award and done it! (No Guts, No Glory!)
Hollenbach should have said that the board had been running for several
years with the full knowledge of the Anti-Virus community and not one
(or say most all) AV vendor had complained. Nor have they received any
complaints from the ICSA, NCSA, EICAR, or CARO (once again list the
"big" guys who do not complain; do you understand yet, Hollenbach?) who
are all fully aware of the boards existence. In fact two members of the
Computer Antivirus Research Organization (CARO) actively encouraged
Kim to obtain more computer professional programming files (commonly
called hacker files by the press neophytes). They did not complain that the
BBS distributed because they were among the organizations who
downloaded these files. The Anti-Virus industry as a whole did not
complain that the board was immoral or unethical and encouraged its
existence.
Most importantly, the board provided extensive help to security personnel
throughout the Federal Government and helped other security officers in
their endeavors to achieve outstanding performance in securing their
agencies networks. (Period, end of statement!)
See how it works Peter, stand up for the Treasury Department and its
people. Don't be pushed around. Tell the press how really ethical, moral,
and loyal Treasury personnel are, and mean it! The Federal Government is
providing you with a fine job. Drop the coffee cup from one hand and the
paycheck from the other and get your sorry ass in gear, mister!
(Semper Fi!)
If you don't know what to say, tell the press that a statement is being
prepared which will be released in a few days. By so doing, you've given
yourself time to think clearly and form a good plan by talking to people who
understand the problem clearly. Thus, you do not embarrass the Federal
Government. In addition, never admit ignorance or try and back-pedal, the
Washington Post twisted your words to make you look foolish. Remember
above all, Peter, the truth is the easiest to remember.(Truth is your shield
and knowledge is your weapon. You had both and didn't use them!)
On to the next topic, the quote in the Post that states "'...since the
complaints began, Treasury officials, while not disciplining Clancy, have
shut down the 'underground' portion of her bulletin board.' "It is not
consistent with what we originally set out to accomplish", Hollenbach said.
"We decided to refocus back to our roots." Since complaints began?
How many complaints were lodged against this BBS? I would like to count the
complaints. (on the fingers of one hand, I'll bet!) How many letters of
support and accolades from competent Federal and private security officers
has Kim Clancy received? I would wager that the support letters
"geometrically" +<|:) outnumber the holy (two faced) self-righteous letters.
Wake up everybody! The AV people trade more source code and viruses
than anyone! I know because I trade with them. I have their infected goat
files with their Company names in them! Shutting down the Treasury BBS
has not vanquished some evil, it is insuring that vendors will control the
market place and tell us only what they deem appropriate. You
"Pinocchios" not only need a conscience, you need common sense. You are
being used as pawns in a game for control of the market place, and your
being made into politically correct fools.
Third on the chart of laughable Post quotes is Neumann... 'Neumann of
Risks Forum, however, is troubled by Clancy's actions. "It is the classical
double-edged sword. It might help, and might hinder. (You should have
stopped your quote at this point, however you had to step in it by going on.
Now your doing that special one shoe tap dance... Ugh!) You're looking at
a potential for serious disaster", he added. "If you're talking about
life-critical systems --air traffic control, for instance-- it means killing
people."
Another brilliant thinker? All I can say is if you are stupid enough to run
a DOS based network for critical systems such as air traffic control, people
will probably die anyway, even if there are no viruses. Have you ever had
a DOS system hang due to a conflict with a TSR? (Duh!) --- DOS is a real
C2 secure operating system isn't it? Maybe an Apple or an Amiga system
would be better for Air Traffic Control. Hmmmmm? Those are at least as
secure as MS-DOS ...please spare me your platitudes, Neumann.
The Treasury BBS did not have any viruses that would take out the Air
Traffic Control System or some other Mission critical system. Let's come
back to earth please. Neumann, do you have an understanding of viruses or
are you just like the other computer illiterates that hear the word virus and
pull out their verbal Excalibur swords to attack? Next time, truly know
your enemy before you attack.
An interesting experiment by one virus author involved tracking viruses
through the AV vendors. The author sent his virus up to one big name AV
vendor. Two months later in was in VSUM and it was sent back to him by
overseas underground virus BBS's in three months. I call that an interesting
experiment with a powerful statement on the propagation of viruses by the
AV community itself.
Several virus writers have told me that they are coming together in their
efforts and are becoming more politically aware in pointing out hypocrisy.
One virus author alleges that he created a virus called "SARA" with a
unique X-rated graphics as a statement of hypocrisy in a AV groupie who
hounded and begged Mark Ludwig at an AV convention for a copy of his
book "The Little Black Book of Computer Viruses". Upon finally selling
her (What is the name, Hmmmmm?) a copy to get her to leave him alone,
she allegedly ran around holding Ludwig's book above her head shouting
"He sold me a copy, he lied, see." (Ludwig promised not to sell a copy of
this book at the Conference. - If this is true, lame stunt to pull Sara!
Shame on you, bad girl, bad girl, Grrrrrrrr.)
This same person was later heard saying that she planned to publish a book
containing the Sysop name, actual name, addresses and phone numbers of
all the virus sysops. (Obviously a money junkie in need of a quick fix.
How popular could this possibly be? I believe the author of such an
endeavor better be correct, and be able to back it up, otherwise it sounds
like a class action libel law suit . Not good for profits.) This allegedly
created a big commotion among the sysop community.
Virus authors are also attacking the lack of programming skill of some
popular AV developers to demonstrate how the public is getting stuck with
inferior AV products. For example McOversized Wallet's scanner only
catches about sixty percent of the viruses generated by the Phalcon-SKISM
Mass Produced Code Generator. In addition, NPOX attacks the lack of
internal security checks in CPAV. On the other hand, there are some
exceptionally outstanding virus scanners, such as Fridrick Skulason's
F-PROT. He has about, if not the best scanner/disinfector on the market.
Frisk is truly a person dedicated to stopping the virus problem by making
his AV software available for ONE dollar, thus the public can choose quailty
protection for their PC that is affordable.
Another alleged story in the underground goes like this: a meeting of AV
people was held in New York and "Stromboli" was running the show.
During the lunch break a computer "criminal" broke into the room and stole
the minutes of meeting. The minutes reported the AV organization would
deny the existence of their virus collection. Thus they would not have to
share them with anyone else. (Squeezing out competition and raising prices
later.) Sounds like a Cartel to me. Wow, can this be true? An AV person
worrying more about profits and eliminating competition than fighting the
war on computer viruses? But when "Stromboli" talks all he can say is how
unethical and immoral those people are who possess viruses or even source
code.
Perhaps the Federal Trade Commission should be notified of unfair
competition in the market place. I would also hope that a government
agency takes control of a super set of all viruses from all the companies and
sets the naming standard (NIST could do this.), as well as keep the viral
search strings and algorithmic patterns of ALL anti-virus vendors. Thus any
new vendor could apply for a set of viruses from this agency and not be
prevented from entering the market because of a lack of test viruses. Every
time a vendor at home or overseas updates his product he would then
submit the new viruses to this governmental agency, along with
recompilable AV product source code. The Federal Government would
thus have an accurate comparison of the existing marketed version and
would protect consumers from shabby anti-virus products, because these
would have government approval. The ethical conflict of vendors
controlling source code and viruses while assuring us, with a toothy grin,
that their products work, would be solved.
I think this idea could work and should be expanded upon. It would seem to
be a better idea than trying to keep citizens from owning virus source code
or compiled and executable versions for test purposes. Maybe the average
citizens should contact their senators about enacting some legislation to
enforce standards on AV products that purport to protect our computer
disks. I hope the Federal Government would be in control of a complete
library of source and compiled, viruses insuring product quality and
competition among AV vendors. Thus, the consumer would be relieved of
virus fears by superior products and competitive pricing. Thus, ALL
individuals who choose to own source code and viruses will maintain this
freedom.
I am asking for a response from the user community on these next few
questions:
o If viruses are illegal in the UK, then why does "Stromboli", in
PRIVATE industry, control the largest set?
o Why doesn't the British government control access to the viruses?
o If it is illegal for a private citizen to own or trade viruses in
the UK then why hasn't "Stromboli" been arrested for trading
viruses locally and internationally?
o "Stromboli's" goat file viruses are showing up on virus BBS's and
infecting American PC's.
o Is "Stromboli" trading with virus BBS's to get the latest viruses?
o Can the U.S. Government hold "Stromboli" responsible for his virus
infected goat file infecting any Federal PC's?
o Should Americans complain to The State Department to press for
action against "Stromboli" for importing viruses into the US, while
violating the laws of the UK? (How dare you... you... you... phony
internet mail virus Importer/Exporter., P.S. Thanks for my set.)
"Stromboli", you and you alone are ultimately responsible for the spread of
the viruses with your company logo attached. What did your fellow CARO
members say when they received a large set of viruses from an American
virus BBS that contained your virus infected goat files? (Holy Moly Dude,
the monster you created is coming back to bite you in the ass.)
The news media is constantly being manipulated by special interest groups
that stand to financially benefit from politically correct views. At the same
time, the papers are constantly looking for ways to create cover stories
which support their political agenda and enhance stories that sell their
publications, making huge profits. (Don't get me wrong I'm all for profit and
big business. Go Gates!) However, when it comes to attacking one of the
government's most respected Security Officers I feel the news media was
fast to move and slow to screen bias in their stories. I also feel that
Ferguson, Sterling, Hollenbach, and Neumann should present a written
apology to Kim Clancy in an open public forum.
Viruses are an overblown phenomenon created by people who make money
from the existence of viruses. Remember the Michelangelo virus, a big dud
in the real world, except for the AV people's McOversized wallets?
Viruses do exist, though they are a very small problem for an ethical and
knowledgeable sysop who follows common sense computing practices.
Do you bootleg software? Do you download strange software files offered
by various BBS's and execute the files on your server? Do you share or
trade floppies with your friends at work or home? Do you import software
from your home PC? If so, does anyone else (like your college son) operate
software from the university on your PC? Is your PC devoid of Anti-Virus
Software? If you answer yes to any of the above questions, your own
ignorance and laziness will insure you someday get a virus.
In conclusion, you moral majority types are neither moral nor in the
majority. As a law enforcement computer security officer and computer
forensics specialist, I have been told I am not responsible enough to own
viruses, by the same AV people who trade viruses among themselves.
Since the response was usually, "We don't want to be responsible for
spreading viruses", it was all I could do to not speak out and call them
hypocrites. It is time that certain vendors stop telling us how to think. and
what we can or can not do as regards computer source code, viral in nature
or otherwise.
AFTER THOUGHT: to Peter S. Tippett, has any anti-virus vendor signed
the "Anti-Virus Developers, Publishers and Professionals Code of Ethics"
(My Copy is) Draft 1.3, 11/19/91 (a noble attempt by a decent fair minded
person with a good idea, brought forth at the NCSA 1st International
Anti-Virus Product Developers Conference on 11/25/91). As I recall, not
one AV Developer was willing to sign it, and it scared the hell out of most
of the AV people. Has it been improved on and has anyone signed it?
I would like to see the names published in the Washington Post of the
AV people who signed and did not sign an ethics agreement. Will the
signature count be greater than two, including yourself?
------------------------------------------------------------
|| My message to the coward "anonymous" in the RISKS FORUM. ||
|| ||
|| Quid Pro Quo ||
|| ||
------------------------------------------------------------
Author: James Lipshultz, Esquire
Computer Specialist/Computer Security Officer/
Computer Forensics Specialist
United States Federal Government, Law Enforcement Branch
(Special Thanks to Mr. Frank Tirado, US Federal Government,
for editing and comments.)
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLNc4fqM4CDusTF+9AQEw8AH+LUu5hrDdEgMgASODbHNJKHxeJR+TEYho
ISK524VijuyRYp0C9pcibT2/N1ygoprKfIUKWIO4/NhI8OVB5+wAHQ==
=4Whm
-----END PGP SIGNATURE-----