From ANONYMOUS
Walker
that one again (i got in a lot of trouble for using that, was an
accident - netscape's fault) - use my mdk...@hotmail.com
please.....thanx
also, thanx for the code
http://mdk.iwarp.com
http://mdk.iwarp.com/code.htm
My "virus central" interface is fucking up - gotta fix it (...stupid
freeservers....)
kurt wismer
> Sorry guys, but the people who used my ispdr email, could you not use
> that one again (i got in a lot of trouble for using that, was an
> accident - netscape's fault) - use my mdk...@hotmail.com
> please.....thanx
>
> also, thanx for the code
[snip offending material]
> My "virus central" interface is fucking up - gotta fix it (...stupid
> freeservers....)
please don't advertize virus distribution sites here, it's a good way to
get them taken down...
--
". . . and i was looking so good, shamoo took a shining to me. and they're
so smart those things, you know, they got all these human emotions. love,
lust, green hundred year old eyed jealousy. barthalamoo - was *livid*.
unbeknownst to me, i can't hear a god damned thing underwater."
fwa...@ispdr.net.au
disclaimer)
It's for people to learn about them - what people DO with the code is their
own fault and if they screw up - that's their fault as well.....
I suppose you'll also have a go at Mark A. Ludwig for his book then, will you?
(www.amazon.com and search for The Giant Black Book of Computer Viruses)
OR the cd produced by his publisher - which contains 11,000 viruses, virus
mutation engines, the works......
Frederic Bonroy
> It's not a virus distribution site - go take a look at it (and read the
> disclaimer)
> It's for people to learn about them
I bet the amount of people who are going to use the code for malicious purposes is
far higher than the amount of people who genuinely just want to learn.
> - what people DO with the code is their
> own fault and if they screw up - that's their fault as well.....
And what if they mess up somebody else's computer? Did you think of that?
kurt wismer
> It's not a virus distribution site - go take a look at it (and read the
> disclaimer)
i did... it said the site contained virus source code and that people
can download... that means it distributes viruses to anyone who asks for
them...
> It's for people to learn about them - what people DO with the code is their
> own fault and if they screw up - that's their fault as well.....
that kind of irresponsible attitude is exactly why i am against the
uncontrolled distribution of viruses...
> I suppose you'll also have a go at Mark A. Ludwig for his book then, will you?
if he posts a message in alt.comp.virus advertizing a site where people
can download viruses, yes...
> (www.amazon.com and search for The Giant Black Book of Computer Viruses)
> OR the cd produced by his publisher - which contains 11,000 viruses, virus
> mutation engines, the works......
as i recall, the cd actually contains a lot of garbage that happens to
make scanners false alarm and *some* viruses (many of which appear
multiple times under different names to inflate the count)...
.
yet to put up articles on GETTING RID OF VIRUSES and other GOOD STUFF (if you reckon
the other stuff is BAD)
"Windows crashed....
I am like the Blue Screen of Death
No-one hears your screams"
Bilge
>that kind of irresponsible attitude is exactly why i am against the
>uncontrolled distribution of viruses...
>
Place the blame where it properly lies: The irresponsible attitude of
people that blindly run software and prefer to restrict other people to
avoid being responsible for their own mistaken belief that they can pawn
off the inconvenience of being informed is why you're against uncontrolled
distribution. When restrictions are imposed upon information for the
sake of convenience at the expense of others, the majority of which
probably do not sit around an contemplate destroying the world, just to
stop (and not very successfully) a few, it's called fascism. The only
reason to control information is to control people and promising people
convenience in exchange for the rights of others has no place in a free
society. Unless penalizing you for my stupidity is a valid reason
for me to act in any way I see fit to avoid intelligence.
The person most willing to impose such controls is usually the
of the belief that they don't fall into the class of restricted
seekers. It's a status thing.
>
>as i recall, the cd actually contains a lot of garbage that happens to
>make scanners false alarm and *some* viruses (many of which appear
>multiple times under different names to inflate the count)...
>
Learning anything involves look at examples. Not just good
examples. Bad examples, not-so-bad examples, total flop examples.
Without contrast, it's impossible to know why something should be
considered good. The person that only wants the latest and least
detectable virus is the person that really has no need to have it,
since they probably arent interested in those properties for the
programmer's sense of aesthetics.
kurt wismer
> kurt wismer <g9k...@cdf.toronto.edu> 4/13/2000:
>
> >On Thu, 13 Apr 2000 fwa...@ispdr.net.au wrote:
> >
> >> It's not a virus distribution site - go take a look at it (and read the
> >> disclaimer)
> >
> >i did... it said the site contained virus source code and that people
> >can download... that means it distributes viruses to anyone who asks for
> >them...
>
> Gosh, Kurt, anyone who connects to the Web is connecting to the world's largest
> virus distribution site.
the web is not *a* site...
> Your opinion really doesn't matter.
your opinion that my opinion doesn't matter, doesn't matter...
> If people wish
> to openly share source code, you should be happy.
??? are you quite alright? you don't seem to be making very much sense
here... why should i be happy? by openly sharing source code you not only
give resources to people who want to spread other peoples viruses but also
give resources to people who want to learn to write viruses and spread
*those* viruses...
not that i think there's anything wrong with the writing on it's own, it's
just that we'd all be better off is some people had never learned how as
what they do with what they produce is entirely bad...
> Virus scanners can't keep up
> as it is.
in what sense can scanners not keep up?
> Why else would you be using Pine?
because that's all that is installed on this account, because i don't have
space to install anything else, and because there isn't a whole lot else i
can use when i'm telnetting in using a 186 portable and a 2400bps modem...
kurt wismer
> kurt wismer said some stuff about
>
> >that kind of irresponsible attitude is exactly why i am against the
> >uncontrolled distribution of viruses...
> >
>
> Place the blame where it properly lies: The irresponsible attitude of
> people that blindly run software
oh, sure... blame the victims... blame people for not having perfect and
completely knowledge of computer security... computer security should be
required knowledge and we should do away with anyone who doesn't have
it...
wanna try again?
> and prefer to restrict other people to
> avoid being responsible for their own mistaken belief that they can pawn
> off the inconvenience of being informed is why you're against uncontrolled
> distribution.
no, i'm against uncontrolled distribution because it puts viruses in the
hands of people who mean to do harm... i am against it because it is
insecure... i am against it because it is hypocrisy...
you talk about blaming people who act without being informed, uncontrolled
distribution is an action made without being informed about the recipients
intentions...
which do you think is worse, ignoring potential details or ignoring
potential malice...
> When restrictions are imposed upon information for the
> sake of convenience at the expense of others, the majority of which
> probably do not sit around an contemplate destroying the world, just to
> stop (and not very successfully) a few, it's called fascism.
well, if information really wants to be free why don't you go ahead and
post your credit card numbers, telephone contact information, etc... i
mean sure you'll probably have to have it all changed but that's just an
inconvenience and most of us wouldn't contemplate misusing it or
anything...
> The only
> reason to control information is to control people
so by hiding your credit card numbers you're controlling people...
get real... by hiding your credit card numbers you protect yourself, by
making sure you only give virus materials to responsible people you
protect yourself and others... it's that simple...
[snip]
> The person most willing to impose such controls is usually the
> of the belief that they don't fall into the class of restricted
> seekers. It's a status thing.
that's a rather gross generalization... i'm pushing this harder than
anyone, i'm the first person i ever heard propose it, and nobody gives me
viruses... i have no such status...
> >as i recall, the cd actually contains a lot of garbage that happens to
> >make scanners false alarm and *some* viruses (many of which appear
> >multiple times under different names to inflate the count)...
>
> Learning anything involves look at examples. Not just good
> examples.
i never said the cd didn't contain viruses, or couldn't be used in the
learning process, just that it's not quite the massive distribution the
previous poster (whose text is absent) suggested it was...
Cyclone
I hope this thread doesn't last as long as "Plural of Viruses" [hi David!],
though :)
kurt wismer wrote:
> no, i'm against uncontrolled distribution because it puts viruses in the
> hands of people who mean to do harm... i am against it because it is
> insecure... i am against it because it is hypocrisy...
You see, that's the problem with your view point.
You ASSUME that almost everyone who want to get a virus gets it because they
want to spread it. Sure it happens - that would be difficult to deny. The
thing is though, that a lot of people have no intention of spreading them.
The problem with your veiwpoint, is that you assume the worst, and are willing
to be "plesantly" surprised. Although that method of doing things is more
secure, and less likely to result in problems, it is not without its drawbacks
too.
One of the nice things about places like the united states is, peoples
willingness to help others.
For example, if you're stuck in a parking lot somewhere with your car's starter
having gone out. Thus you've got the hood open and digging in the engine.
Your method of tight control on virus distribution, is like passerby's not
trying to help out (letting use of phone, try to fix the problem, give you a
new part, a tow, etc [which is what people still do - thank God]), but stopping
you to ask to see your vehicle registration number and some identification, so
as to make sure you're not putting a car bomb into someone else's car.
I mean, sure, it could help you from getting a car bomb :), but that person's
attitude just ruins your day.
> well, if information really wants to be free why don't you go ahead and
> post your credit card numbers, telephone contact information, etc... i
> mean sure you'll probably have to have it all changed but that's just an
> inconvenience and most of us wouldn't contemplate misusing it or
> anything...
>
> get real... by hiding your credit card numbers you protect yourself, by
> making sure you only give virus materials to responsible people you
> protect yourself and others... it's that simple...
You seem to get this mixed up again.
This cheesy AV anaolgy has a fatal flaw - one which I am a little tired of
pointing out.
You see, if a person has a website, the contents of the website are something
the person WANTS to make available to the public.
Trust me, if that same person wants his credit card number to be public (which
they usually don't -> hence the flaw in the analogy), they'll put it on their
site.
Bilge
>oh, sure... blame the victims... blame people for not having perfect and
>completely knowledge of computer security... computer security should be
>required knowledge and we should do away with anyone who doesn't have
>it...
>
>wanna try again?
>
Sure. Better to blame the victim tha penalize someone that neither
caused the problem nor is responsible for the victim's predicament.
If you can't punish the perpetrator, that doesn't give you the right
to punish someone else just to appease the victims for the result
of their own ignorance. Stupidity is its own best cure. Allow
people to be cured.
>no, i'm against uncontrolled distribution because it puts viruses in the
>hands of people who mean to do harm... i am against it because it is
>insecure...
>
The you should control distribution of kernighan and ritchey to keep
c out of the hands of people with evil intentions, remove steven's
4 books on network programming and tcp/ip from general circulation
because they could peruse the source code showing how tcp/ip is
implented in the bsd kernel and exploit it, insure that nothing is
ever published about any processor architecture in case it encourages
ne'er do wells to hunt for another foof bug. It's all dangerous stuff
in the wrong hands.
> i am against it because it is hypocrisy...
In other words, you'll be at the front of the line giving up your
code, right? The only people that have a shot at not being hypocrites
are those willing to implement something to their own detriment.
Anyone else is suspect.
>you talk about blaming people who act without being informed, uncontrolled
>distribution is an action made without being informed about the recipients
>intentions...
>
You aren't considering an academic career, I take it?
>which do you think is worse, ignoring potential details or ignoring
>potential malice...
>
Treating everyone as a criminal, a priori, and punishing them for the
actions of a few people that cause problems for people, too lazy to
be responsible for their own security is fascist. Since I have
no idea what your comparison of details to malice means, I'll
let you decide which it is.
>well, if information really wants to be free why don't you go ahead and
>post your credit card numbers, telephone contact information, etc... i
Because I take responsibility for my own security. Nothing prevents
me from doing so if I wish, and neither tell someone else they should
or shouldn't publish thei own information. If you want to control
code you've written, you are entitled to hide it. You aren't entitled
to decide for anyone else.
>mean sure you'll probably have to have it all changed but that's just an
>inconvenience and most of us wouldn't contemplate misusing it or
>anything...
>
It's not my concern. I'm free to do what I want with my information.
It's mine. You aren't free to decide for me.
>so by hiding your credit card numbers you're controlling people...
>
But I only control my own. I don't have thousands that belong to
other people that I asked the government to give me legal standing
to control their dissemination. No one cares if you control what
is yours only that which is not yours.
>get real... by hiding your credit card numbers you protect yourself, by
>making sure you only give virus materials to responsible people you
>protect yourself and others... it's that simple...
>
Do these "responsible" people have a special mark that makes it
obvious they graduated from responsibiliy school? Or does "make
sure only resposnsible people get it" mean "discriminate arbitrarily"?
This isn't merely hypothetical. When the court cases are decided
on the dvd encryption, should the defendants lose, you won't be
the person that decides if you are qualified to do encryption research
or study software security. You'll need a "legitimate" stamp from
the company whose software you are supposedly evaluating. There's
no difference. In either case, someone else decides your intentions
for you.
>that's a rather gross generalization... i'm pushing this harder than
>anyone, i'm the first person i ever heard propose it, and nobody gives me
>viruses... i have no such status...
>
Maybe the lack of enthusiasm should tell you something. If it
doen't, you have a future with SPA or the mpaa.
>i never said the cd didn't contain viruses, or couldn't be used in the
>learning process, just that it's not quite the massive distribution the
>previous poster (whose text is absent) suggested it was...
For someone opposed to distributing viruses, you seem pretty quick
to criticize a collection that seem to lack enough complexity and
ability to destroy things. Perhaps the inability for you to find
educational value in something that isn't ready-made, up-to-the
minute working code, is because the only thing you can imagine
using code for is assembly into an executable.
--
kurt wismer
> Here I go again...
> I hope this thread doesn't last as long as "Plural of Viruses" [hi David!],
> though :)
>
> kurt wismer wrote:
> > no, i'm against uncontrolled distribution because it puts viruses in the
> > hands of people who mean to do harm... i am against it because it is
> > insecure... i am against it because it is hypocrisy...
>
> You see, that's the problem with your view point.
> You ASSUME that almost everyone who want to get a virus gets it because they
> want to spread it.
no, i make no such assumption, nor do i think any such thing... you make
the assumption that i think such a thing... shame on you, you should know
better than to assume...
> Sure it happens - that would be difficult to deny. The
> thing is though, that a lot of people have no intention of spreading them.
a lot of people have no intention of running down little children when
they get into their cars drunk, either... a few do, precaution is called
for... not because bad things do happen (although they do sometimes
happen) but because the very act is irresponsible...
if i were to make viruses available to someone, i would want to know (not
assume) that their intentions would be honourable and that their technical
competency is high enough to avoid unleashing the infection
accidentally... uncontrolled virus distribution makes no judgement as to
whether the recipient can safely handle the virus or whether s/he intends
to do harm with it... viruses can cause damage, they are potentially
dangerous things and deserve to be treated as such, rather than being
treated like you would a stick of gum...
not all information is safe for people to use...
> The problem with your veiwpoint, is that you assume the worst, and are willing
> to be "plesantly" surprised. Although that method of doing things is more
> secure, and less likely to result in problems, it is not without its drawbacks
> too.
i recognize it has it's drawbacks... the drawbacks are that it takes time
and energy... but in the end you get close relationships with people who
have similar interests (aka friends) *AND* the virus materials you were
looking for... not to mention the fact that you will be generally
respected for doing everything in your power to avoid contributing to the
virus problem...
> One of the nice things about places like the united states is, peoples
> willingness to help others.
that exists everywhere, not just in the united states...
> For example, if you're stuck in a parking lot somewhere with your car's starter
> having gone out. Thus you've got the hood open and digging in the engine.
> Your method of tight control on virus distribution, is like passerby's not
> trying to help out (letting use of phone, try to fix the problem, give you a
> new part, a tow, etc [which is what people still do - thank God]), but stopping
they may help, but they aren't going to give you a new car... giving
someone a virus doesn't "fix" anything... and cars have legitimate
practical uses - the only practical use viruses have are as weapons
(learning from viruses is an academic use, not a practical one)...
> you to ask to see your vehicle registration number and some identification, so
> as to make sure you're not putting a car bomb into someone else's car.
> I mean, sure, it could help you from getting a car bomb :), but that person's
> attitude just ruins your day.
the car bomb itself would be worse, though...
> > well, if information really wants to be free why don't you go ahead and
> > post your credit card numbers, telephone contact information, etc... i
> > mean sure you'll probably have to have it all changed but that's just an
> > inconvenience and most of us wouldn't contemplate misusing it or
> > anything...
> >
> > get real... by hiding your credit card numbers you protect yourself, by
> > making sure you only give virus materials to responsible people you
> > protect yourself and others... it's that simple...
>
> You seem to get this mixed up again.
> This cheesy AV anaolgy has a fatal flaw - one which I am a little tired of
> pointing out.
>
> You see, if a person has a website, the contents of the website are something
> the person WANTS to make available to the public.
> Trust me, if that same person wants his credit card number to be public (which
> they usually don't -> hence the flaw in the analogy), they'll put it on their
> site.
the flaw is not with my analogy, it is with the idea that controling
information is done only to control people (which is what the previous
poster said)... this is obviously absurd, we control information each and
every day, i was just pointing out the fact...
yes, we want to hide credit card numbers... we want to because there is
good reason to control who gets that information... there is also good
reason to control who gets access to your viruses... in fact there is a
better reason there because although credit card info in the wrong hands
can only hurt the credit card holder, viruses in the wrong hands can hurt
lots of people...
Robert
[snip]
>
>kurt wismer wrote:
>
>> well, if information really wants to be free why don't you go ahead and
>> post your credit card numbers, telephone contact information, etc... i
>> mean sure you'll probably have to have it all changed but that's just an
>> inconvenience and most of us wouldn't contemplate misusing it or
>> anything...
>>
>> get real... by hiding your credit card numbers you protect yourself, by
>> making sure you only give virus materials to responsible people you
>> protect yourself and others... it's that simple...
>
>You seem to get this mixed up again.
>This cheesy AV anaolgy has a fatal flaw - one which I am a little tired of
>pointing out.
>
>You see, if a person has a website, the contents of the website are something
>the person WANTS to make available to the public.
>Trust me, if that same person wants his credit card number to be public (which
>they usually don't -> hence the flaw in the analogy), they'll put it on their
>site.
fatally flawed.
Kurt was replying to the following from the aptly named bilge:
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
Yet it is obvious that the aptly named Bilge is too hypocritical to see
that he is condemning himself as a fascist.
--
Robert
It's not because I am paranoid
That the whole world *isn't* against me
Robert
<ro...@radioactivex.lebesque-al.net> wrote
>
> >well, if information really wants to be free why don't you go ahead and
> >post your credit card numbers, telephone contact information, etc... i
>
> me from doing so if I wish,
Then you are a rank hypocrite and by your own definition a fascist -
after all in article <slrn8fgdp...@radioactivex.lebesque-al.net>,
Bilge <ro...@radioactivex.lebesque-al.net> wrote
>
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around and contemplate destroying the world, just
to
>stop (and not very successfully) a few, it's called fascism.
Yet you restrict the information about your credit cards and bank
accounts for the sake of your own convenience and at the expense of
others who would wish to have access to this information.
Practice what you preach or FOAD
Cyclone
> a lot of people have no intention of running down little children when
> they get into their cars drunk, either... a few do, precaution is called
> for... not because bad things do happen (although they do sometimes
> happen) but because the very act is irresponsible...
So, what your saying is, that we should close down the liquor stores?
I think they tried that in the 30s... it wasn't all that popular then either.
Remember, we're talking about a secondary cause, not primary cause when talking
about open vX. The person spreading the virus, either intentionally or even by
sheer stupidity, is analogous to your drunk driver - not the vX site. The drunk
driver is the irresponsible one.
> if i were to make viruses available to someone, i would want to know (not
> assume) that their intentions would be honourable and that their technical
> competency is high enough to avoid unleashing the infection
> accidentally... uncontrolled virus distribution makes no judgement as to
> whether the recipient can safely handle the virus or whether s/he intends
> to do harm with it... viruses can cause damage, they are potentially
> dangerous things and deserve to be treated as such, rather than being
> treated like you would a stick of gum...
That would be your vX site :)
Well, let's look at your very colourful drunk drivers "running down little
children" example. Now, I think that you would agree that killing a child is a
little worse than a virus potentially wiping out some data (yeah yeah - I know, the
ever cliche hospital example [which has never happened to my knowledge]). That
being said, all the liquor store does is to make sure the customer is above 18.
There are no police background checks on DUIs. There are certificates to sign.
Nor are there any licenses required. With that being the case, shouldn't you be
making your case in news:rec.booze.drivers or somewhere, so as to make sure no more
little children are run down in the prime of their youth? (I love AV examples;-)
What I'm saying, is that, like with alcohol, there has to be a certain level of
trust between the provider and the consumer that the product will not be misused.
You choose to have the security high, but that trust level very low (good for
security, bad for an overall sense of freedom). Other products, some of which are
much more dangerous than viruses, require less hoops to jump through.
Basically what I'm saying, is that living in a country where it is IMPOSSIBLE to do
wrong, is probably worse than being in a country with no laws at all. Afterall, we
are talking about living in a country, not a prison, and ultimatly, the person
resposible for an act [in this case malicious distribution] has to be THE one
responsible - not everyone except him/her.
> not all information is safe for people to use...
No, information does not have to be safe. But if someone chooses to give that
information to someone, then that's their decision. Who gave you the right to
dictate whether someone should know something or not?
> i recognize it has it's drawbacks... the drawbacks are that it takes time
> and energy... but in the end you get close relationships with people who
> have similar interests (aka friends) *AND* the virus materials you were
> looking for... not to mention the fact that you will be generally
> respected for doing everything in your power to avoid contributing to the
> virus problem...
Hmm... are you saying that in order to get your hands on something, you should have
to be forced to make freinds and connections to a privied few? That doesn't sound
very democratic...
Yes, your method is safer, but it seems a little too... monocratic [for lack of a
better word]... for me.
> > One of the nice things about places like the united states is, peoples
> > willingness to help others.
>
> that exists everywhere, not just in the united states...
True, true.
I do see it a bit more in the united states than in the other countries I have
visited, though.
> they may help, but they aren't going to give you a new car... giving
> someone a virus doesn't "fix" anything... and cars have legitimate
> practical uses - the only practical use viruses have are as weapons
> (learning from viruses is an academic use, not a practical one)...
HUH?!?
And since when is learning something NOT a valid purpose?!?!?
I don't quite follow your "giving a new car" talk. If someone wants/asks for
information [presumably because they lack the information], then providing
source/zines/whatever will "fix" that persons lack of info. I don't see vX sites
giving away computers to anyone who downloads anything.
> > you to ask to see your vehicle registration number and some identification, so
> > as to make sure you're not putting a car bomb into someone else's car.
> > I mean, sure, it could help you from getting a car bomb :), but that person's
> > attitude just ruins your day.
>
> the car bomb itself would be worse, though...
Yes it would, but imagine, if you will, that your car's starter goes in front of a
Walmart (or somewhere like that) where people are coming and going every few
seconds. If each of those people asked for your ID and registration, then after 10
people, you'd probably close the hood, walk into the store, buy a gun, and start
shooting people who hassled you for any more ID. I probably would. :-)
That be even worse, right?
(yet completely unavoidable, and understandable- as no one is THAT patient)
> the flaw is not with my analogy, it is with the idea that controling
> information is done only to control people (which is what the previous
> poster said)... this is obviously absurd, we control information each and
> every day, i was just pointing out the fact...
I guess I misread it. OK. Sorry.
Although I wouldn't go as far as to call the idea absurd, myself (strike the "only"
and you have a true statement, afterall).
> yes, we want to hide credit card numbers... we want to because there is
> good reason to control who gets that information... there is also good
> reason to control who gets access to your viruses... in fact there is a
> better reason there because although credit card info in the wrong hands
> can only hurt the credit card holder, viruses in the wrong hands can hurt
> lots of people...
Do you see me on a quest to stop others from putting their credit card numbers onto
their webpages? If they WANT to put them up, who am I to stop them, right? Their
credit card company, however, might have something to say about that. :-)
Cyclone
John Ievins
> > Virus scanners can't keep up
> > as it is.
>
> in what sense can scanners not keep up?
In the sense that a virus spreads before virus scanners become able to
find and kill it.
--
John F. Ievins (aka The Grendel) The Elf Slayer
John Ievins is spelt with an i, not an L... Grrr!
Philosopher of Banana Religion & Rights
Member of The-Anti-Humour-Movement
Evil Scientist of Naven Experimentation (would anyone like to donate
any Navens to my labs? Please? Pretty-please?)
Owner of 1 AGC nutterfly
Project Leader, Team Leader & Mapper of 2048 Millenium Productions'
'War Sector X' Half Life Mod, available from
Http://www.millenium2048.co.uk
Creator of genetically engineered 'Norns' and 'Grendels', for the
'Creatures' series of games, available from
Http://www.geocities.com/SiliconValley/Foothills/6184/
Creator of Creatures 3 COB's ranged between 24001 and 24050
Member of the Official AGC order of the Pnippers
Owner of The Inflatable Anti-Death Fork
Talker of gibberish
Remove 'Mr.vloomy.' to reply, or don't mail
---
SnornL: If I had a life, would I insist I am an elf?
>
kurt wismer
> kurt wismer said some stuff about
>
> >oh, sure... blame the victims... blame people for not having perfect and
> >completely knowledge of computer security... computer security should be
> >required knowledge and we should do away with anyone who doesn't have
> >it...
> >
> >wanna try again?
> Sure. Better to blame the victim tha penalize someone that neither
> caused the problem nor is responsible for the victim's predicament.
a) nobody is being penalized - have you even bothered to look back in
dejanews to find out what exactly the alternative i propose is? i know you
certainly haven't asked me what it is...
b) you're completely ignoring the spectrum of non-direct
responsibility...
> >no, i'm against uncontrolled distribution because it puts viruses in the
> >hands of people who mean to do harm... i am against it because it is
> >insecure...
>
> The you should control distribution of kernighan and ritchey to keep
> c out of the hands of people with evil intentions, remove steven's
> 4 books on network programming and tcp/ip from general circulation
> because they could peruse the source code showing how tcp/ip is
> implented in the bsd kernel and exploit it, insure that nothing is
> ever published about any processor architecture in case it encourages
> ne'er do wells to hunt for another foof bug. It's all dangerous stuff
> in the wrong hands.
the information you reference all has good practical uses... viruses do
not have a good practical use, they have a good academic use, but their
only practical use is as a weapon...
> > i am against it because it is hypocrisy...
>
> In other words, you'll be at the front of the line giving up your
> code, right?
giving up my code? what are you talking about?
> The only people that have a shot at not being hypocrites
> are those willing to implement something to their own detriment.
> Anyone else is suspect.
well, what i'm proposing would make it more difficult for me to get
viruses...
> >you talk about blaming people who act without being informed, uncontrolled
> >distribution is an action made without being informed about the recipients
> >intentions...
> You aren't considering an academic career, I take it?
no, what does that have to do with anything?
> >which do you think is worse, ignoring potential details or ignoring
> >potential malice...
> >
> Treating everyone as a criminal, a priori, and punishing them for the
i'm not talking about treating anyone as a criminal or punishing
anyone... please do not assume my intentions, you'll only make an ass out
of u and me... do caro members treat the people with whom they exchange
viruses as criminals? no, of course not... do they punish them? no of
course not... i'm asking nothing more of the vx than i expect from caro...
> actions of a few people that cause problems for people, too lazy to
> be responsible for their own security is fascist.
you keep blurting out fascist or fascism, yet it's rather obvious you're
arguing against something i'm not even proposing...
you should not use that word lightly, don't be the boy who cried fascist
(wolf)...
[snip]
> >well, if information really wants to be free why don't you go ahead and
> >post your credit card numbers, telephone contact information, etc... i
>
> Because I take responsibility for my own security. Nothing prevents
> me from doing so if I wish, and neither tell someone else they should
> or shouldn't publish thei own information. If you want to control
> code you've written, you are entitled to hide it. You aren't entitled
> to decide for anyone else.
i'm not trying to decide for anyone else... please remove your head from
your rectum... i cannot make decisions for other people, i can only try to
influence their own decisions... the purpose of the prosaic form is the
persuade the audience...
> >mean sure you'll probably have to have it all changed but that's just an
> >inconvenience and most of us wouldn't contemplate misusing it or
> >anything...
> It's not my concern. I'm free to do what I want with my information.
> It's mine. You aren't free to decide for me.
i'm not trying to decide for you... has it occurred to you that i cannot
possibly enforce any decision i try to make for other people? what on
earth makes you think i'm trying to decide for you... i'm trying to
convince you to take responsibility for the impact you have on the
computing world...
> >so by hiding your credit card numbers you're controlling people...
> But I only control my own. I don't have thousands that belong to
> other people that I asked the government to give me legal standing
> to control their dissemination. No one cares if you control what
> is yours only that which is not yours.
and i'm only asking that people take more care in controlling the
information in their possession, so why are you crying fascist so loudly?
> >get real... by hiding your credit card numbers you protect yourself, by
> >making sure you only give virus materials to responsible people you
> >protect yourself and others... it's that simple...
> Do these "responsible" people have a special mark that makes it
> obvious they graduated from responsibiliy school? Or does "make
> sure only resposnsible people get it" mean "discriminate arbitrarily"?
obviously you have to have reason to say person x is responsible, if you
have no reason to believe they are responsible (ie. they haven't proven
it) then you cannot reasonably judge them to be responsible...
it is a matter of trust, and yes trust must be earned...
> This isn't merely hypothetical. When the court cases are decided
> on the dvd encryption, should the defendants lose, you won't be
> the person that decides if you are qualified to do encryption research
> or study software security. You'll need a "legitimate" stamp from
> the company whose software you are supposedly evaluating. There's
> no difference. In either case, someone else decides your intentions
> for you.
bullshit, i'm not talking about some farcicial "responsibility
certification"...
> >that's a rather gross generalization... i'm pushing this harder than
> >anyone, i'm the first person i ever heard propose it, and nobody gives me
> >viruses... i have no such status...
> >
> Maybe the lack of enthusiasm should tell you something. If it
> doen't, you have a future with SPA or the mpaa.
the lack of enthusiasm suggests that many people agree with nick
fitzgerald that you're all lost causes...
> >i never said the cd didn't contain viruses, or couldn't be used in the
> >learning process, just that it's not quite the massive distribution the
> >previous poster (whose text is absent) suggested it was...
>
> For someone opposed to distributing viruses,
i am opposed to the uncontrolled distribution of viruses, please get it
right...
> you seem pretty quick
> to criticize a collection that seem to lack enough complexity and
> ability to destroy things. Perhaps the inability for you to find
> educational value in something that isn't ready-made, up-to-the
> minute working code, is because the only thing you can imagine
> using code for is assembly into an executable.
more gross generalizations... i learned much of what i know about assembly
by reading snippets and source code... not virus source code mind you...
as i said before, please do not *assume* things...
furthermore, the criticism i made was reactionary and in response to a
sentiment that the collection in question was 'great'... if you're a
believer in the addage "quantity has a quality all it's own" then on that
level i suppose it might be 'great', but otherwise . . .
kurt wismer
> kurt wismer wrote:
> > > Virus scanners can't keep up
> > > as it is.
> >
> > in what sense can scanners not keep up?
>
> In the sense that a virus spreads before virus scanners become able to
> find and kill it.
that's not always true, but for those cases where it is true, that is why
there are other forms of anti-virus technology besides scanners...
i certainly never said scanners are the be all and end all to anti-virus
security...
Cyclone
I'm shocked.
David M. Chess
> I hope this thread doesn't last as long as "Plural of Viruses" [hi David!],
> though :)
Hi! *8) I think I'll stay out of this go-round (well, except for
this one posting!). I don't know the background, not being all
that interested in reading the original thread. I continue to think
that there's a place for *responsible* handling of viruses, somewhere
between "put them on the web for anyone who comes by" and "stop
everyone in the world from ever doing anything dangerous".
But I doubt there's much percentage at this point in trying to
get a consensus on this particular group as to where the right
point on the continuum is... *8)
PaX
that there's a place for *responsible* handling of viruses, somewhere
between "put them on the web for anyone who comes by" and "stop
everyone in the world from ever doing anything dangerous".
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Exactly how it should be....informed words from the wise...
Regards Dalt
kurt wismer
> kurt wismer wrote:
> > a lot of people have no intention of running down little children when
> > they get into their cars drunk, either... a few do, precaution is called
> > for... not because bad things do happen (although they do sometimes
> > happen) but because the very act is irresponsible...
>
> So, what your saying is, that we should close down the liquor stores?
no, i'm saying the liquor stores shouldn't sell to people who are already
drunk - and lo' that is exactly the way things work where i live...
they should also only sell to those who can prove their age...
in comparison, people should only share viruses with those who have proven
their trustworthiness...
> I think they tried that in the 30s... it wasn't all that popular then either.
> Remember, we're talking about a secondary cause, not primary cause when talking
> about open vX. The person spreading the virus, either intentionally or even by
> sheer stupidity, is analogous to your drunk driver - not the vX site. The drunk
> driver is the irresponsible one.
so is the bartender or liquor store attendant who served them past the
point of drunkeness... and where i come from they can get in trouble too,
regardless of whether the drunk was a driver and/or ran someone over...
> > if i were to make viruses available to someone, i would want to know (not
> > assume) that their intentions would be honourable and that their technical
> > competency is high enough to avoid unleashing the infection
> > accidentally... uncontrolled virus distribution makes no judgement as to
> > whether the recipient can safely handle the virus or whether s/he intends
> > to do harm with it... viruses can cause damage, they are potentially
> > dangerous things and deserve to be treated as such, rather than being
> > treated like you would a stick of gum...
[reformatting text manually - could you do something about your line
length?]
> That would be your vX site :)
> Well, let's look at your very colourful drunk drivers "running down
> little
> children" example. Now, I think that you would agree that killing a
> child is a
> little worse than a virus potentially wiping out some data (yeah yeah -
> I know, the
> ever cliche hospital example [which has never happened to my
> knowledge]). That
> being said, all the liquor store does is to make sure the customer is
> above 18.
> There are no police background checks on DUIs. There are certificates
> to sign.
> Nor are there any licenses required. With that being the case,
> shouldn't you be
> making your case in news:rec.booze.drivers or somewhere, so as to make
> sure no more
> little children are run down in the prime of their youth? (I love AV
> examples;-)
you mistate what the liquor store attendant does... verifying age is only
part of it...
> What I'm saying, is that, like with alcohol, there has to be a certain
> level of
> trust between the provider and the consumer that the product will not
> be misused.
i agree... but trust must be earned...
> You choose to have the security high, but that trust level very low
> (good for
> security, bad for an overall sense of freedom). Other products, some
> of which are
> much more dangerous than viruses, require less hoops to jump through.
now you're mistating what *i'm* talking about... trust level is
low? that causes the web of trust to *fail* to work properly...
> Basically what I'm saying, is that living in a country where it is
> IMPOSSIBLE to do
> wrong, is probably worse than being in a country with no laws at
> all. Afterall, we
> are talking about living in a country, not a prison, and ultimatly, the
> person
> resposible for an act [in this case malicious distribution] has to be
> THE one
> responsible - not everyone except him/her.
those who aided that person share some of the responsibility, whether they
aided him/her knowingly or not...
> > not all information is safe for people to use...
>
> No, information does not have to be safe. But if someone chooses to
> give that
> information to someone, then that's their decision. Who gave you the
> right to
> dictate whether someone should know something or not?
oh, for pete's sake cyclone... you were around the last time this got
discussed, weren't you? i'm not talking about dictating to anyone...
people who i turn down may well be trustworthy and i simply don't know
them well enough... in such a case surely someone else will know them
better and consider them trustworthy...
> > i recognize it has it's drawbacks... the drawbacks are that it takes time
> > and energy... but in the end you get close relationships with people who
> > have similar interests (aka friends) *AND* the virus materials you were
> > looking for... not to mention the fact that you will be generally
> > respected for doing everything in your power to avoid contributing to the
> > virus problem...
>
> Hmm... are you saying that in order to get your hands on something, you
> should have
> to be forced to make freinds and connections to a privied few? That
what privied few? you have viruses right? many of your friends have
viruses, and many of their friends have viruses... there are plenty of
people to get viruses from, but viruses should only be given to those whom
you know you can trust...
> > > One of the nice things about places like the united states is, peoples
> > > willingness to help others.
> >
> > that exists everywhere, not just in the united states...
>
> True, true.
> I do see it a bit more in the united states than in the other countries
> I have
> visited, though.
you've existed longer in the united states than in the other countries
you've visited...
> > they may help, but they aren't going to give you a new car... giving
> > someone a virus doesn't "fix" anything... and cars have legitimate
> > practical uses - the only practical use viruses have are as weapons
> > (learning from viruses is an academic use, not a practical one)...
>
> HUH?!?
> And since when is learning something NOT a valid purpose?!?!?
re-read what i said... learning is an academic use... i did not say it was
not valid, only that it was not practical... academic actually means
without practical use or purpose... that doesn't mean it isn't valid
though, you don't have to be practical to be valid...
> I don't quite follow your "giving a new car" talk. If someone
it's the closest i could get your helpful fellow driver analogy to fit the
situation with virus exchange...
> wants/asks for
> information [presumably because they lack the information], then
> providing
> source/zines/whatever will "fix" that persons lack of info. I don't
that depends entirely on the form of information they ask for... if they
are asking for source or binaries, then they are not looking for
information specifically, only something that happens to fall under the
umbrella term of information because all things on a computer are
information... if someone asks for a virus it is comparable to a person
without a working car asking for a car...
[snip]
> > > you to ask to see your vehicle registration number and some identification, so
> > > as to make sure you're not putting a car bomb into someone else's car.
> > > I mean, sure, it could help you from getting a car bomb :), but that person's
> > > attitude just ruins your day.
> >
> > the car bomb itself would be worse, though...
>
> Yes it would, but imagine, if you will, that your car's starter goes in
> front of a
> Walmart (or somewhere like that) where people are coming and going
> every few
> seconds. If each of those people asked for your ID and registration,
> then after 10
> people, you'd probably close the hood, walk into the store, buy a gun,
> and start
> shooting people who hassled you for any more ID. I probably would. :-)
they sell guns in walmart but they won't sell music with bad words?
that's rather bizarre...
anyways, i wouldn't be buying any guns... i'm not a gun person... even on
the occasions when i was that pissed off, i was still more of a hands-on
person...
furthermore, why not just go into the walmart and buy the part you need to
fix the car? isn't walmart the everything store? if i broke down infront
of a canadian tire store i could do that (or buy a crossbow and shoot the
people who asked for id if i were of a mind to)...
but this is all besides the point since, for the virus side of this i'm
not talking about any kind of certificate scheme... either you know and
trust the person or you don't...
> > the flaw is not with my analogy, it is with the idea that controling
> > information is done only to control people (which is what the previous
> > poster said)... this is obviously absurd, we control information each and
> > every day, i was just pointing out the fact...
>
> I guess I misread it. OK. Sorry.
> Although I wouldn't go as far as to call the idea absurd, myself
> (strike the "only"
> and you have a true statement, afterall).
and in that vein, breathing is done to intimidate people...
> > yes, we want to hide credit card numbers... we want to because there is
> > good reason to control who gets that information... there is also good
> > reason to control who gets access to your viruses... in fact there is a
> > better reason there because although credit card info in the wrong hands
> > can only hurt the credit card holder, viruses in the wrong hands can hurt
> > lots of people...
>
> Do you see me on a quest to stop others from putting their credit card
> numbers onto
> their webpages? If they WANT to put them up, who am I to stop them,
> right?
like i said, credit card numbers in the wrong hands can only hurt the
credit card holder... you don't care because it doesn't affect you or
anyone else, just the person who put it on their website... viruses affect
more people, that's why i care, that's why you should care... you could
get hit, or your parents, or your sister or brother, or your best
friend...
LHigdon
I continue to think
>that there's a place for *responsible* handling of viruses, somewhere
>between "put them on the web for anyone who comes by" and "stop
>everyone in the world from ever doing anything dangerous".
Bless you! You found the operative word.
kurt wismer
> Nothing to say Kurt?
> I'm shocked.
>
> Cyclone wrote:
> >
> > kurt wismer wrote:
don't be... you're relying on usenet to get the message across,
remember... it might reach me late or even not at all... i just posted my
reply earlier today...
John Ievins
> > > > Virus scanners can't keep up
> > > > as it is.
> > >
> > > in what sense can scanners not keep up?
> >
> > In the sense that a virus spreads before virus scanners become
able to
> > find and kill it.
>
> that's not always true,
But it is in certain cases. But I would assume that the source code
wouldn't actually be of that much use to AV authors - they just need
to recognise the compiled virus.
> but for those cases where it is true, that is why
> there are other forms of anti-virus technology besides scanners...
>
> i certainly never said scanners are the be all and end all to
anti-virus
> security...
Yes, but they are the most common.
Bilge
>
>Yet you restrict the information about your credit cards and bank
>accounts for the sake of your own convenience and at the expense of
>others who would wish to have access to this information.
>
by making value judgements concerning what I own, not what another
owns. If nobody wishes to provide source code, that is a decision
made by each individual.
>Practice what you preach or FOAD
what to do regarding that which you own. In fact, I don't even care
to know what that might be. Democracy means never having to say "you
must". Only a warped perspective of freedom causes people to try and
take what's mine by appealing to the concept of freedom to insist I
share it. Just ask the people that survived the cultural revolution.
Cyclone
> Hi! *8) I think I'll stay out of this go-round (well, except for
> this one posting!). I don't know the background, not being all
> that there's a place for *responsible* handling of viruses, somewhere
> between "put them on the web for anyone who comes by" and "stop
> everyone in the world from ever doing anything dangerous".
> get a consensus on this particular group as to where the right
> point on the continuum is... *8)
Nice to see you!
No arguments here.
BTW - I meant to always meant ask, might as well now. I'm curious, is
that automatic imuno-system that you guys developed in large scale use
yet (all your customers), or is it still in the testing phases? (Or
just the virus sample analysis by computer part)?
Cyclone
> no, i'm saying the liquor stores shouldn't sell to people who are already
> drunk - and lo' that is exactly the way things work where i live...
> they should also only sell to those who can prove their age...
>
> in comparison, people should only share viruses with those who have proven
> their trustworthiness...
Well, the fact is that someone is 18 and sober qualifies them as
trustworthy for a liquor store, correct? So, why wouldn't an "Are
you 18 and don't intend to malicously spread?" warning be sufficient
for a vX site? Proving "trustworthiness" seems a lot more of a
strict standard for something a lot less dangerous (in the wrong
persons hands of course).
> so is the bartender or liquor store attendant who served them past the
> point of drunkeness... and where i come from they can get in trouble too,
> regardless of whether the drunk was a driver and/or ran someone over...
The law is weird like that sometimes.
That law is rather stupid though. I mean, what else is the purpose
of a bartender other than to serve drinks?
> [reformatting text manually - could you do something about your line
> length?]
Well, mine doesn't re-format all that nicely either. I'll try to be
nice to pine users, but this is about as nice as it will get.
> you mistate what the liquor store attendant does... verifying age is only
> part of it...
I guess I am. What is the other part? Do they all lead secret lives
as super heroes when the sun goes down?
Oh wait, I know what the other part is....
verify age, AND... <DRAMATIC PAUSE>
...sell alcohol
correct?
> > What I'm saying, is that, like with alcohol, there has to be a certain
> > level of
> > trust between the provider and the consumer that the product will not
> > be misused.
>
> i agree... but trust must be earned...
Not necissarily in some cases. To continue with our liquor store
example, 500 people that the liqour store attendant has never seen
can visit the liqor store each day. Do you really expect the poor
attendant to sit down with each of them over a cup of coffee and play
Scrabble? Some level of trust is sometimes/often given implicitly.
> > You choose to have the security high, but that trust level very low
> > (good for
> > security, bad for an overall sense of freedom). Other products, some
> > of which are
> > much more dangerous than viruses, require less hoops to jump through.
>
> now you're mistating what *i'm* talking about... trust level is
> low? that causes the web of trust to *fail* to work properly...
I expressed myself poorly. What I meant was more along the lines of
"initial trust". The trust you give to someone initially for no real
reason. You set this level of trust very low and then insist that
the person works hard for the rest. This is more secure, but also a
lot less pleasant for all involved (let's face it - it feels good
when someone trusts you instead of never turning his back to you).
My point was that this initial trust should be determined by a
products dangerousness. If that is the case, then I point out that
more dangerous things - like alcohol - are being sold with a higher
level of inital trust.
> those who aided that person share some of the responsibility, whether they
> aided him/her knowingly or not...
So do the people who gave birth to him, the people he went to school
with, his teachers, the media, the ....
I don't see them getting fines/jail sentences.
It's kind of silly to include people who unknowingly helped in that
list.
> oh, for pete's sake cyclone... you were around the last time this got
> discussed, weren't you? i'm not talking about dictating to anyone...
Well, I do usually hang out in a.c.v.s.c., as a result I don't read
many of the a.c.v. posts.
> people who i turn down may well be trustworthy and i simply don't know
> them well enough... in such a case surely someone else will know them
> better and consider them trustworthy...
Sure, that's fine.
What I see is that you are trying to influence other peoples opion of
whether someone is trustworth or not [which is not a bad thing in
itself]. It seems to me that you'd like to see everybody have the
same standards (or higher) as yourself [also nothing wrong with that-
just don't be surprised/disappointed if someone has lower standards
and respect their opinion].
> > Hmm... are you saying that in order to get your hands on something, you
> > should have
> > to be forced to make freinds and connections to a privied few? That
>
> what privied few? you have viruses right? many of your friends have
> viruses, and many of their friends have viruses... there are plenty of
> people to get viruses from, but viruses should only be given to those whom
> you know you can trust...
Yes, I have some viruses.
Would I have ever gotten them, if everyone had the same standard for
virus distribution as you? Hardly - the places I got them from would
not exist.
So, how is someone supposed to gain a level of trust? I mean
exchanging mail with someone that goes by a psuedonym is not the best
way to gain trust, is it? So what would it take - a face to face
meeting (costing thousands in plane tickets, etc), gifts, Christmas
cards, what?
For example, if I email you, will you send me a virus source?
> you've existed longer in the united states than in the other countries
> you've visited...
That so? Strange. I don't live in the United States.
> re-read what i said... learning is an academic use... i did not say it was
> not valid, only that it was not practical... academic actually means
> without practical use or purpose... that doesn't mean it isn't valid
> though, you don't have to be practical to be valid...
The statement that viruses are not practical is inacurate.
For example, I received an .exe file from someone in the mail a while
back. I make it a habbit to do a quick check with something like
"dumppe" to check incoming files (as well as a scan).
Here are some of the highlights:
Address of Entry Point 000E6000
Section Table
-------------
01 CODE Virtual Address 00001000
Virtual Size 0003F000
Raw Data Offset 00000400
Raw Data Size 0001C400
Relocation Offset 00000000
Relocation Count 0000
Line Number Offset 00000000
Line Number Count 0000
Characteristics C0000040
Initialized Data
Readable
Writeable
09 .adata Virtual Address 000E6000
Virtual Size 00002000
Raw Data Offset 00046600
Raw Data Size 00001200
Relocation Offset 00000000
Relocation Count 0000
Line Number Offset 00000000
Line Number Count 0000
Characteristics C0000040
Initialized Data
Readable
Writeable
Imp Addr Hint Import Name from kernel32.dll
-------- ---- -----------------------------
000E678C 0 GetProcAddress
000E6790 0 GetModuleHandleA
000E6794 0 LoadLibraryA
<That's all the imports from Kernel32.dll>
Suspicious, no (at first glance)?
So, I did a quick dissembly to see what was going on. It yeilded:
pushad
call 004E6006
pop ebp
sub ebp,00444A0A
mov ebx,00444A04
add ebx,ebp
sub ebx,[ebp+004450B1]
cmp dword ptr [ebp+004450AC],00000000
mov [ebp+00444EBB],ebx
jne 004E6544
lea eax,[ebp+004450D1]
push eax
call [ebp+00445194]
etc.
My my my... If it's not the delta routine calculation used since the
very first viruses of the com file days.
The use of "GetProcAddress" & "GetModuleHandleA" are also common to
PE infection, so is a writeable Code Segemnt, Entry Point outside of
the code segment- very virus-like, as is adding a new code section
[I'm still amazed it works without marking .adata as executable].
Well, investigating further, I found I wasn't looking at a virus, but
at a data compression engine (notice the Code Raw Data Size vs. the
Virtual Size).
With that said, obviously the someone who wrote the comperssor,
benefited from availability of virus source/information. I'd call
that practical, you?
> > I don't quite follow your "giving a new car" talk. If someone
>
> it's the closest i could get your helpful fellow driver analogy to fit the
> situation with virus exchange...
I think we'd agree that that has more to do with a cars price
(relative to a free virus) rather than it does with the willingness
to help. If a car was free, then it's quite likey that you would get
one from someone wanting to help out.
> that depends entirely on the form of information they ask for... if they
> are asking for source or binaries, then they are not looking for
> information specifically, only something that happens to fall under the
> umbrella term of information because all things on a computer are
> information... if someone asks for a virus it is comparable to a person
> without a working car asking for a car...
Binaries aside, source is a good place to learn from. Code, from the
fact that it needs to be complete and correct, is a nice place to
look to see exactly how things work. Thus people often are looking
for information when they want the source.
Binaries are good only when the source in unavailable. But some
people seem to enjoy collecting them, so, that's a valid use too.
With your asking for a car example, it's also analogous to asking for
a new tail light (which people often have and give), a jumper cable
boost, or use of their time. I really think that the cost of the car
is fogging up your comparison, but strictly speaking, you are free to
ask for the car, and others are free to give it if they want to -
even to a stranger.
> they sell guns in walmart but they won't sell music with bad words?
>
> that's rather bizarre...
I rather get a kick out of that too.
> furthermore, why not just go into the walmart and buy the part you need to
> fix the car? isn't walmart the everything store? if i broke down infront
> of a canadian tire store i could do that (or buy a crossbow and shoot the
> people who asked for id if i were of a mind to)...
Well, Canadian Tire is a better place for autoparts than a Walmart.
The point is, even if you did buy the part, no one would let you
install it because of the constant stream of people asking for ID
(and that's assuming that they'd eave you long enought alone for
you to identify the part you need).
> but this is all besides the point since, for the virus side of this i'm
> not talking about any kind of certificate scheme... either you know and
> trust the person or you don't...
Isn't that what CARO uses? I don't think they'd give me any source
no matter how much I pester them. They probably wouldn't give any to
you either (if you're not a member that is).
> > I guess I misread it. OK. Sorry.
> > Although I wouldn't go as far as to call the idea absurd, myself
> > (strike the "only"
> > and you have a true statement, afterall).
>
> and in that vein, breathing is done to intimidate people...
*huff* *huff* ;)
> like i said, credit card numbers in the wrong hands can only hurt the
> credit card holder... you don't care because it doesn't affect you or
> anyone else, just the person who put it on their website... viruses affect
> more people, that's why i care, that's why you should care... you could
> get hit, or your parents, or your sister or brother, or your best
> friend...
Or my Great Grand-Aunt's, sister-in-law's, step-son's, niece's dog.
We all know the risks of getting files from the net. One can't make
the risk 0, and trying to even get close to 0, often results in more
freedom loss than the security you gain is worth.
The thing that botheres me about your example is that you
automatically seem to imply the equation of:
put viruses on web site == people get infected.
I would argue that, as there are some old viruses that are published
in relatively old zines (like cb#4), that don't even scan with the
latest scanners - I presume because they never infected anybody.
I really think that instead of complaining about the websites, you
should be complaining about the people who spread viruses
maliciously.
Bilge
>a) nobody is being penalized - have you even bothered to look back in
>dejanews to find out what exactly the alternative i propose is? i know you
>certainly haven't asked me what it is...
I responded to what you wrote. You did not bother to tell me that
there was any error in what I stated regarding anything I might
have misconstrued. Instead, you responded as if I had not.
>b) you're completely ignoring the spectrum of non-direct
>responsibility...
No. I just think that it's obvious that you can't force people to
be responsible. Someone that has lost all of the data on their disk
from a virus is more likely to be careful with disseminating informa-
tion without any encouragement. The person that never has encountered
one is unlikely to be persuaded and possibly even encouraged to
be malicious by virtue of considering themselves immune. Perhaps
such a person would better be persuaded by personal experience.
People that want to arbitrate the behavior of others are not about
personal responsibility. They are about enforcing personal responsibility
and deciding how to do it. The ones that do the best job disgusing
it spend a lot of time in washington, dc.
>the information you reference all has good practical uses... viruses do
>not have a good practical use, they have a good academic use, but their
>only practical use is as a weapon...
An academic use is a practical use. It would not be hard to come up
with a biological simulation that might be easily done by writing
writing competing programs with various capabilities. It might be
simpler to have it reproduce and see the result than write a self
contained program to keep score. Computational experiments are becoming
more common with the arrival of cheap memory and disk space. Monte
carlo has been around for a long time for example, and was never
all that useful until systems were capable of carrying out 100,000,000
or so "experiments". In terms of memory, it may be ineffiecient,
but it finishes running in this lifetime.
>giving up my code? what are you talking about?
>
I just assumed that controlling something meant not everybody had
an opportunity to obtain it from others based upon mutual consent.
If a third, non-involved, party decides, than why would you have
any reason to be among the people that should have access?
>well, what i'm proposing would make it more difficult for me to get
>viruses...
>
Well, at least you wouldn't exempt yourself. Or at least not totally.
>> You aren't considering an academic career, I take it? >
>no, what does that have to do with anything?
>
Usually, one needs to recognize they dont know enough to be so
certain that something is useless rather than something having
no use that has yet been found. It's sort of the nature of
the business to do what hasn't been done rather than copy what
has.
>
>i'm not talking about treating anyone as a criminal or punishing
>anyone... please do not assume my intentions, you'll only make an ass out
>of u and me... do caro members treat the people with whom they exchange
You have done nothing until this point to give me any reason to
believe your goal shouldn't be enforcing your objectives rather
than voluntary compliance.
>viruses as criminals? no, of course not... do they punish them? no of
>course not... i'm asking nothing more of the vx than i expect from caro...
And what is their criteria for dissemination? I would guess there
is not much voluntariness involved. To be a member and receive
the same information they have, I would guess you have to agree
not to let unapproved individuals have access to what they provide.
I've never been driven to ask. I've gotten anything of interest
from a few examples and some textbook analysis that wasn't really
aimed at writing architecture specific specimens.
Also, before blaming the availability of source code on the
prevalence of viruses, you might consider the possibility that
there are people with a hell of a lot to gain that will always
have access. Go look at the sales of anti-virus software or
microsoft products and ask yourself why microsoft didn't bother
doing something back in 1985 when the 386 offered them a way
to at least minimize the problem by actually using protected
mode for something. Even after they figured out it existed, they've
contiued to create software that encourages behavious that
defeats its purpose. If you think for a second that a few
billion dollars a year doesnt provide incentive to find as
many creative ways as possile to make another billion, think
again. If you want to point a finger at the most responsible
party, poit at microsoft, who believes telling people they're
doing something provides a better margin than actually doing
it.
>you keep blurting out fascist or fascism, yet it's rather obvious you're
>arguing against something i'm not even proposing...
>
>you should not use that word lightly, don't be the boy who cried fascist
>(wolf)...
>
Well, you seem to come across with that mindset.
>i'm not trying to decide for anyone else... please remove your head from
>your rectum... i cannot make decisions for other people, i can only try to
>influence their own decisions... the purpose of the prosaic form is the
>persuade the audience...
>
Maybe that effort would be better spent having software vendors pull
their heads from their rectums and simply write code which doesnt
do things like execute email, need to write in system directories,
reequire hardware access, or in short, shout "infect me, my author
is stupid and the person using me is stupider".
>i'm not trying to decide for you... has it occurred to you that i cannot
>possibly enforce any decision i try to make for other people? what on
>earth makes you think i'm trying to decide for you... i'm trying to
>convince you to take responsibility for the impact you have on the
>computing world...
So where do these people from the mpaa, the fbi or the ss get their
start?
>and i'm only asking that people take more care in controlling the
>information in their possession, so why are you crying fascist so loudly?
>
Why didn't you mention it the first time?
>
>bullshit, i'm not talking about some farcicial "responsibility
>certification"...
>
I can think of an easier way to accomplish your goal, if all you
are really interested in is making a point about casually disseminating
code so that the point lingers, but I doubt it would be exteremly popular.
>
>the lack of enthusiasm suggests that many people agree with nick
>fitzgerald that you're all lost causes...
>
Since I am frequenting the group mainly to see if anyone has an answer
to a question I posted that contains no request for code of any sort
other than the knowledge of it ever having been givem any thought and
what the result was, I don't think "you're" applies. Personally, I
expected a little more curiosity in the subject than I see, which is
a lot of people begging for code and then arguments over whether they
should get it rather than much in the way of discussion of snippets
of original work to shame the vendors into at least not providing
a hospitable environement. There's no excuse for being able to write
viruses with the macro language of something that one uses to write
documents, for example. Why don't you harp on that? Instead of simply
arguing over who gives whom what, why don't people post ideas for
potential NEW mechanisms? Anyone that understands the idea that doesn't
exist as a working example won't need code anyway, so you wont need
to bicker over giving awy something that doesn't exist. Anyone that
can't figure out bits and pieces probably won't benefit any more
from a working example, but at least you won't be focussed on who
does what with yesterday's code.
>
>furthermore, the criticism i made was reactionary and in response to a
>sentiment that the collection in question was 'great'... if you're a
>believer in the addage "quantity has a quality all it's own" then on that
>level i suppose it might be 'great', but otherwise . . .
But what did you offer besides a negative opinion? Being knowledgeable
means pointing out specific criticisms and providing a better replacement,
not necessarily of your own, but at least a reference to something
that's a superior choice at the same level. It would make no sense
to criticize a freshman level physics text and tell a freshman to
use dirac for a better view of modern physics, for example.
I'm sorry if I misread your remarks originally, but you didnt do much
to dispell that idea in your previous response.
Bilge
>
>Yet it is obvious that the aptly named Bilge is too hypocritical to see
>that he is condemning himself as a fascist.
Should I assume that you can offer a logical construction that
involves any standard definition of the words "fascist" and
"hypocritical" in which that conclusion follows from any
evidence other than your own unstated inferences of any remarks
I made? I'm inclined to doubt it, but heck, wail away if you
think you can sell it without anyone noticing the lapse in
reasoning. If everyone buys it, I suppose you'll just never see
how apt the choice bilge was.
David M. Chess
>BTW - I meant to always meant ask, might as well now. I'm curious, is
>that automatic imuno-system that you guys developed in large scale use
>yet (all your customers), or is it still in the testing phases? (Or
>just the virus sample analysis by computer part)?
Drifting gracefully off-topic... *8) It's coming along nicely.
We (the lab here and Symantec) recently completed a pilot with some
very large customers, to make sure that the system actually worked
and that they liked the interfaces and function, and the results
were very positive. It will be gradually rolling out in succeeding
versions of the NAV family of products. From the end-user's point
of view not much will change, except that things will get faster,
more automatic, and probably more reliable. We expect that one of
the main effects will be (pretty much by definition) inconspicuous:
the continued lack of globally-disruptive virus epidemics! *8)
kurt wismer
> > From: Cyclone <m...@here.com>
>
> > I hope this thread doesn't last as long as "Plural of Viruses" [hi David!],
> > though :)
>
> Hi! *8) I think I'll stay out of this go-round (well, except for
> this one posting!). I don't know the background, not being all
> that interested in reading the original thread.
you're in caro, right?
so it's like this, i'm trying to convince everyone else to be as
responsible with their virus samples as you are (or close to it at any
rate)... not exactly a new idea of course...
> I continue to think
> that there's a place for *responsible* handling of viruses, somewhere
> between "put them on the web for anyone who comes by" and "stop
> everyone in the world from ever doing anything dangerous".
agreed...
kurt wismer
> kurt wismer wrote:
> > no, i'm saying the liquor stores shouldn't sell to people who are already
> > drunk - and lo' that is exactly the way things work where i live...
> > they should also only sell to those who can prove their age...
> >
> > in comparison, people should only share viruses with those who have proven
> > their trustworthiness...
>
> Well, the fact is that someone is 18 and sober qualifies them as
> trustworthy for a liquor store, correct? So, why wouldn't an "Are
> you 18 and don't intend to malicously spread?" warning be sufficient
> for a vX site?
well, gee... i guess because people can answer no and still download... or
people can lie and say yes and still download... the liquor store
attendant doesn't necessarily take a customers word for it that they're
over 18 and sober...
> Proving "trustworthiness" seems a lot more of a
> strict standard for something a lot less dangerous (in the wrong
> persons hands of course).
a drunk is only a drunk so long as the booze lasts... a virus can keep
spreading for years...
> > so is the bartender or liquor store attendant who served them past the
> > point of drunkeness... and where i come from they can get in trouble too,
> > regardless of whether the drunk was a driver and/or ran someone over...
>
> The law is weird like that sometimes.
> That law is rather stupid though. I mean, what else is the purpose
> of a bartender other than to serve drinks?
since it is possible to take in a lethal dose of alcohol, it is very
sensible for bartenders to cut people off after a certain point...
> > [reformatting text manually - could you do something about your line
> > length?]
>
> Well, mine doesn't re-format all that nicely either. I'll try to be
> nice to pine users, but this is about as nice as it will get.
this seems fine so far... i don't think it's just pine users who have
problems though, tin or any other non-graphical reader will be limited to
an 80 column fixed width font display...
> > you mistate what the liquor store attendant does... verifying age is only
> > part of it...
>
> I guess I am. What is the other part? Do they all lead secret lives
> as super heroes when the sun goes down?
> Oh wait, I know what the other part is....
> verify age, AND... <DRAMATIC PAUSE>
> ...sell alcohol
> correct?
verify age and sobriety...
> > > What I'm saying, is that, like with alcohol, there has to be a certain
> > > level of
> > > trust between the provider and the consumer that the product will not
> > > be misused.
> >
> > i agree... but trust must be earned...
>
> Not necissarily in some cases. To continue with our liquor store
> example, 500 people that the liqour store attendant has never seen
> can visit the liqor store each day. Do you really expect the poor
> attendant to sit down with each of them over a cup of coffee and play
> Scrabble? Some level of trust is sometimes/often given implicitly.
in the above case what the attendant has to trust are visual and ol'
factory cues... is the id a forgery, does he reak of booze, etc,
etc... the fact is the attendant doesn't necessarily trust what the
customer tells them, the attendant has other means of gathering the
information s/he needs...
in the case of sharing viruses, however, there are no such cues to fall
back upon...
> > > You choose to have the security high, but that trust level very low
> > > (good for
> > > security, bad for an overall sense of freedom). Other products, some
> > > of which are
> > > much more dangerous than viruses, require less hoops to jump through.
> >
> > now you're mistating what *i'm* talking about... trust level is
> > low? that causes the web of trust to *fail* to work properly...
>
> I expressed myself poorly. What I meant was more along the lines of
> "initial trust". The trust you give to someone initially for no real
> reason. You set this level of trust very low and then insist that
> the person works hard for the rest.
it's not that hard to get to know people... and the work is shared by both
parties...
> This is more secure, but also a
> lot less pleasant for all involved (let's face it - it feels good
> when someone trusts you instead of never turning his back to you).
??? never turning one's back on someone is the sign of a strong
friendship... in the real world, people turn their backs on strangers all
the time... do you give money to every pan-handler you see?
> My point was that this initial trust should be determined by a
> products dangerousness. If that is the case, then I point out that
> more dangerous things - like alcohol - are being sold with a higher
> level of inital trust.
as i've stated, this is not the case with alcohol... the initial level of
trust in the customer is low, that's why the attendant visually
interrogates the customer...
> > those who aided that person share some of the responsibility, whether they
> > aided him/her knowingly or not...
>
> So do the people who gave birth to him, the people he went to school
> with, his teachers, the media, the ....
> I don't see them getting fines/jail sentences.
> It's kind of silly to include people who unknowingly helped in that
> list.
when they don't take due care to prevent something that they know happens
from happening it is not silly, it is negligence...
> > oh, for pete's sake cyclone... you were around the last time this got
> > discussed, weren't you? i'm not talking about dictating to anyone...
>
> Well, I do usually hang out in a.c.v.s.c., as a result I don't read
> many of the a.c.v. posts.
wasn't it cross-posted last time? darn, i can't remember now if it was or
not...
> > people who i turn down may well be trustworthy and i simply don't know
> > them well enough... in such a case surely someone else will know them
> > better and consider them trustworthy...
>
> Sure, that's fine.
> What I see is that you are trying to influence other peoples opion of
> whether someone is trustworth or not [which is not a bad thing in
> itself]. It seems to me that you'd like to see everybody have the
> same standards (or higher) as yourself [also nothing wrong with that-
> just don't be surprised/disappointed if someone has lower standards
> and respect their opinion].
no, not the same or higher than myself... i'm far too paranoid about such
things, i've never given samples to anyone, and if i were i would only
give them to established av developers (and even then only some of
them)...
i'd just like to see people only putting their trust in those for whom
there is some basis for trust...
> > > Hmm... are you saying that in order to get your hands on something, you
> > > should have
> > > to be forced to make freinds and connections to a privied few? That
> >
> > what privied few? you have viruses right? many of your friends have
> > viruses, and many of their friends have viruses... there are plenty of
> > people to get viruses from, but viruses should only be given to those whom
> > you know you can trust...
>
> Yes, I have some viruses.
> Would I have ever gotten them, if everyone had the same standard for
> virus distribution as you? Hardly - the places I got them from would
> not exist.
that's true, but that doesn't mean there wouldn't be other sources... you
wouldn't have gotten the same viruses you have, but that is not to say you
couldn't have gotten other viruses (and i think it would be unreasonable
to expect everyone to have the same standards that i have - as noted
above)...
web of trust models don't preclude web based distribution,
either... though they require access controls on the viruses
(passwords, encryption, something like that)...
> So, how is someone supposed to gain a level of trust? I mean
> exchanging mail with someone that goes by a psuedonym is not the best
> way to gain trust, is it?
probably not, not if they're using a psuedonym at any rate... i mean
really, if you're to trust each other would it be so much to ask to use
real names with each other?
> So what would it take - a face to face
> meeting (costing thousands in plane tickets, etc), gifts, Christmas
> cards, what?
i don't think any of that is required...
> For example, if I email you, will you send me a virus source?
i doubt it... i don't know what your personal policy is on sharing
viruses... i get the feeling it's nothing like mine and that does not give
me confidence that viruses i might share with you won't fall into the
wrong hands (though i am fairly confident that if i were to give you a
virus i wouldn't be placing it directly in the wrong hands)
> > you've existed longer in the united states than in the other countries
> > you've visited...
>
> That so? Strange. I don't live in the United States.
oh, sorry... i appear to have made an ass out of u and me...
you really found more helpful people in the states? that's weird...
> > re-read what i said... learning is an academic use... i did not say it was
> > not valid, only that it was not practical... academic actually means
> > without practical use or purpose... that doesn't mean it isn't valid
> > though, you don't have to be practical to be valid...
>
> The statement that viruses are not practical is inacurate.
[snip long example]
> With that said, obviously the someone who wrote the comperssor,
> benefited from availability of virus source/information. I'd call
> that practical, you?
nope... first you're assuming that the information on how to do what you
describe, you can't really know they didn't come up with it
independantly...
second, learning from viruses is still academic... one may be able to put
the information to later practical use or one may not...
> > > I don't quite follow your "giving a new car" talk. If someone
> >
> > it's the closest i could get your helpful fellow driver analogy to fit the
> > situation with virus exchange...
>
> I think we'd agree that that has more to do with a cars price
> (relative to a free virus) rather than it does with the willingness
> to help. If a car was free, then it's quite likey that you would get
> one from someone wanting to help out.
yes, i would agree... i think perhaps the analogy breaks down at this
point...
> > that depends entirely on the form of information they ask for... if they
> > are asking for source or binaries, then they are not looking for
> > information specifically, only something that happens to fall under the
> > umbrella term of information because all things on a computer are
> > information... if someone asks for a virus it is comparable to a person
> > without a working car asking for a car...
>
> Binaries aside, source is a good place to learn from. Code, from the
> fact that it needs to be complete and correct, is a nice place to
> look to see exactly how things work.
not to put too fine a point on it, but not all source code is
correct... at least not in the comp.sci. sense of the word...
further, virus source code is more likely to contain bugs than a
self-correcting source code medium like 80XXX in fidonet...
> Thus people often are looking
> for information when they want the source.
some... and some of those are looking for information on how to wreak
their own brand of havoc on the world... the malicious writers of
tomorrow...
> Binaries are good only when the source in unavailable. But some
> people seem to enjoy collecting them, so, that's a valid use too.
never said their weren't valid uses (i think i made this clear before),
only that there were no good practical uses...
> With your asking for a car example, it's also analogous to asking for
> a new tail light (which people often have and give),
people have spare tail lights? that's a new one on me...
> a jumper cable
> boost, or use of their time.
neither of those have monetary cost, however there is also no exchange of
artifacts involved (artifact = man made thing)... with no exchange of
artifacts, theres no risk that the exchanged artifact could be misused to
hurt others...
[snip]
> > furthermore, why not just go into the walmart and buy the part you need to
> > fix the car? isn't walmart the everything store? if i broke down infront
> > of a canadian tire store i could do that (or buy a crossbow and shoot the
> > people who asked for id if i were of a mind to)...
>
> Well, Canadian Tire is a better place for autoparts than a Walmart.
> The point is, even if you did buy the part, no one would let you
> install it because of the constant stream of people asking for ID
> (and that's assuming that they'd eave you long enought alone for
> you to identify the part you need).
i take it you're not very good at ignoring people?
if you're not asking for help, why would they be asking for id or any
other kind of certification? who does that sort of thing without
prompting?
> > but this is all besides the point since, for the virus side of this i'm
> > not talking about any kind of certificate scheme... either you know and
> > trust the person or you don't...
>
> Isn't that what CARO uses? I don't think they'd give me any source
> no matter how much I pester them. They probably wouldn't give any to
> you either (if you're not a member that is).
i'm not a member and quite frankly i've never asked... i don't know if
they would or wouldn't... i was once offered a small collection by someone
who at that point had only ever sent them to fsi, but he was just the
sysop of an anti-virus bbs...
i would assume you're right about them not sharing with you, at least not
right off the bat... i don't know that any of them know and/or trust
you... but i do recognize that that sort of thing can change over time...
[snip]
> > like i said, credit card numbers in the wrong hands can only hurt the
> > credit card holder... you don't care because it doesn't affect you or
> > anyone else, just the person who put it on their website... viruses affect
> > more people, that's why i care, that's why you should care... you could
> > get hit, or your parents, or your sister or brother, or your best
> > friend...
>
> Or my Great Grand-Aunt's, sister-in-law's, step-son's, niece's dog.
> We all know the risks of getting files from the net.
fact of the matter is that while you and i do, not everyone does...
> One can't make
> the risk 0, and trying to even get close to 0, often results in more
> freedom loss than the security you gain is worth.
well, since i'm not trying to infringe upon freedoms, nor am i suggesting
anyone else do so the point is moot and the drive to approach near zero
risk can procede unfettered...
> The thing that botheres me about your example is that you
> automatically seem to imply the equation of:
> put viruses on web site == people get infected.
then you're not thinking creatively enough see above (many paragraphs
above)...
> I would argue that, as there are some old viruses that are published
> in relatively old zines (like cb#4), that don't even scan with the
> latest scanners - I presume because they never infected anybody.
> I really think that instead of complaining about the websites, you
> should be complaining about the people who spread viruses
> maliciously.
i do complain about the people who spread viruses maliciously and i would
like to see all of us who don't support such behaviour not helping it
happen...
there aren't too many people who openly admit to spreading, though... off
the top of my head the only one i can think of is spanska - and i have
asked him repeatedly to keep his viruses to himself...
Robert
<ro...@radioactivex.lebesque-al.net> wrote
>Robert said some stuff about
>
> >
> >Yet it is obvious that the aptly named Bilge is too hypocritical to see
> >that he is condemning himself as a fascist.
>
> Should I assume that you can offer a logical construction that
> involves any standard definition of the words "fascist"
How come you suddenly want to use the "standard definition" of fascist
You stand condemned by your own definition:
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
You have imposed restrictions on the information about your bank account
and credit card details for the sake of your own convenience and at the
expense of those who read this newsgroup and would want to study that
information.
The majority of readers of this newsgroup probably do not sit around and
contemplate destroying the world.
You admit that you impose these restrictions to stop the few who might
abuse the information.
QED you are exposing yourself as a fascist by your own definition of the
term.
In accusing others of fascism according to your own definition (restored
above since you were too ashamed to leave it in your reply to me), you
demonstrate your hypocrisy.
--
Robert
I am not where I *can* see myself,
Where I *can't* see myself, I *am*,
I guess I'm virtually transparent ...
Robert
> >accounts for the sake of your own convenience and at the expense of
> >others who would wish to have access to this information.
> >
> Like I said, I take responsibility for my own security.
Each time you are too ashamed of your own hypocrisy to leave in the
definition of what you call fascism. I am restoring it again here:
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
>I do it
> by making value judgements concerning what I own
So you are imposing restrictions upon information for the sake of
convenience
>, not what another
> owns.
That is irrelevant to the fact that you are imposing restrictions on the
information for the sake of convenience and at the expense of those who
would study that information
You are both a fascist by your own definition and a hypocrite
>
> >Practice what you preach or FOAD
>
> I do. I preach using what one owns as one sees fit.
No, you preach not imposing restrictions on information for the sake of
convenience - let me remind you of your own words:
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
>I don't tell you
> what to do regarding that which you own.
Yes you do. In accusing people of fascism because they do not support
the uncontrolled distribution of malicious software, you are telling
people what they can and cannot do
>In fact, I don't even care
> to know what that might be. Democracy means never having to say "you
> must". Only a warped perspective of freedom causes people to try and
> take what's mine by appealing to the concept of freedom to insist I
> share it. Just ask the people that survived the cultural revolution.
>
So do you deny having written:
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
Because you are certainly contradicting yourself here
PaX
"educational
purposes only". If Vx actually want to change their reputation, they'll
stop publicly distributing viruses and distribute them _only_ among
other Vx folk that they trust.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
George,
That is very often the case but sometimes wildcards come
along,that act outside of anything the VX community know about...
So if the entire VX community followed the suggestion then there would still
be the potential for the "lone gunman" situation although I accept that the
potential for harm would be reduced..
best wishes Dalt
Cyclone
> Drifting gracefully off-topic... *8)
What topic? "From ANONYMOUS?" ;-)
> It's coming along nicely.
> We (the lab here and Symantec) recently completed a pilot with some
> very large customers, to make sure that the system actually worked
> and that they liked the interfaces and function, and the results
> were very positive. It will be gradually rolling out in succeeding
> versions of the NAV family of products. From the end-user's point
> of view not much will change, except that things will get faster,
> more automatic, and probably more reliable. We expect that one of
> the main effects will be (pretty much by definition) inconspicuous:
> the continued lack of globally-disruptive virus epidemics! *8)
I've read some papers on this system and it looks intriging.
There is one thing that has me wondering though.
Assuming you get a non-virus (your computers are unable to get it to
replicate), then you report it as a non-virus, or does it then wind up on
someones desk? If it ends up on someones desk, doesn't this slow things
down (granted it's still faster than before, but negatives will still
take a long time to analyze)?
Well, in any case, good luck on it.
Cyclone
> purposes only". If Vx actually want to change their reputation, they'll
> stop publicly distributing viruses and distribute them _only_ among
> other Vx folk that they trust.
>
Well, no it doesn't work all that well.
If it worked well, I could get source from CARO, couldn't I? CARO works
SO well, that's it's pointless for me to even bother trying.
The problem with the "vX folk" is that it is a very transient and
scattered group. Most often people "join", learn how to write viruses,
then leave. The problem is how to get to "know" the new people.
To get to be on trustworthy terms with vX (enough to get code anyways),
you need to be informed of how viruses work at the very least. Your
method of knowing someone before giving them information usually creates
an unfortunate catch-22 situation.
Cyclone
> well, gee... i guess because people can answer no and still download... or
> people can lie and say yes and still download... the liquor store
> attendant doesn't necessarily take a customers word for it that they're
> over 18 and sober...
Well, the "above 18" page is good enough for a porn site... err... or so
I've heard ;-)
> > Proving "trustworthiness" seems a lot more of a
> > strict standard for something a lot less dangerous (in the wrong
> > persons hands of course).
>
> a drunk is only a drunk so long as the booze lasts... a virus can keep
> spreading for years...
Are you implying that a computer virus is more dangerous than a drunk
driver? (the fact the booze don't last is some consolation to the
grieving parents in your run down child example)
> > The law is weird like that sometimes.
> > That law is rather stupid though. I mean, what else is the purpose
> > of a bartender other than to serve drinks?
>
> since it is possible to take in a lethal dose of alcohol, it is very
> sensible for bartenders to cut people off after a certain point...
True, but legislating common sense is rather silly. Besides, people
usually pass out and/or throw up before they can take a lethal dose...
err... or so I've heard ;-)
> in the above case what the attendant has to trust are visual and ol'
> factory cues... is the id a forgery, does he reak of booze, etc,
> etc... the fact is the attendant doesn't necessarily trust what the
> customer tells them, the attendant has other means of gathering the
> information s/he needs...
>
> in the case of sharing viruses, however, there are no such cues to fall
> back upon...
Granted, that on a web site good intentions have to be assumed (I still
don't think that that's too much to assume).
This is not the case here for example though. If some one posts asking
for a source, there are such cues.
For example the two posts:
"Could I get the source to the routine to get into ring0 from the CIH
virus from someone, please?" and "I need that BIOS killing virii!"
There are queues to pick up on.
Yet I don't see giving a nod to either when it happens.
> > This is more secure, but also a
> > lot less pleasant for all involved (let's face it - it feels good
> > when someone trusts you instead of never turning his back to you).
>
> ??? never turning one's back on someone is the sign of a strong
> friendship... in the real world, people turn their backs on strangers all
> the time... do you give money to every pan-handler you see?
Again there is a misunderstanding.
I meant: "not turning your back to somebody because you're afraid of
being stabbed in the back"
I did not mean: "to turn your back (as to shun someone)"
> > My point was that this initial trust should be determined by a
> > products dangerousness. If that is the case, then I point out that
> > more dangerous things - like alcohol - are being sold with a higher
> > level of inital trust.
>
> as i've stated, this is not the case with alcohol... the initial level of
> trust in the customer is low, that's why the attendant visually
> interrogates the customer...
It's not that low. Otherwise there'd be no drunk drivers. There are no
background checks, there is recording of names of customers, etc.
Besides, the visual queues that you find so important are not reliable.
People can look fine and be dead drunk.
I'd consider an insecure system like this to have fairly high initial
trust considering how dangerous alcohol can be in the wrong hands.
> when they don't take due care to prevent something that they know happens
> from happening it is not silly, it is negligence...
So a car salesman should be tried for negligence when a car he sold
breaks down? If someone has an accident in it? Sooner or later, any car
will break down, and someone in any group of car owners will have some
car accident.
To call that negligence is silly.
> that's true, but that doesn't mean there wouldn't be other sources... you
> wouldn't have gotten the same viruses you have, but that is not to say you
> couldn't have gotten other viruses (and i think it would be unreasonable
> to expect everyone to have the same standards that i have - as noted
> above)...
And which viruses would I get if the security of viruses was the way you
invision it? Answer: None.
I am indebted for the viruses I have to those that do have a vX or
publish zines. Yes, viruses can get into wrong hand, but without them,
they'd never get into hands like mine. (I can see you crying at that
thought ;-)
> web of trust models don't preclude web based distribution,
> either... though they require access controls on the viruses
> (passwords, encryption, something like that)...
Now extend that to the liquor store example.
"I've never seen you before - you can't have any! Go away!"
> > So, how is someone supposed to gain a level of trust? I mean
> > exchanging mail with someone that goes by a psuedonym is not the best
> > way to gain trust, is it?
>
> probably not, not if they're using a psuedonym at any rate... i mean
> really, if you're to trust each other would it be so much to ask to use
> real names with each other?
Does it really matter if you know someone as Bill, Fred, George, or
Cyclone?
I could quote Juliet, but not wishing to massacre the play (since I don't
have it readily available), I'll let it go.
> > For example, if I email you, will you send me a virus source?
>
> i doubt it... i don't know what your personal policy is on sharing
> viruses... i get the feeling it's nothing like mine and that does not give
> me confidence that viruses i might share with you won't fall into the
> wrong hands (though i am fairly confident that if i were to give you a
> virus i wouldn't be placing it directly in the wrong hands)
Actually it's not completely different from yours. I don't often get any
requests for anything, and I only ever try to help those that I'm pretty
sure don't have a malicious use for it. Since my collection is
relatively small, the best I can usually do is provide a URL.
> > That so? Strange. I don't live in the United States.
>
> oh, sorry... i appear to have made an ass out of u and me...
>
> you really found more helpful people in the states? that's weird...
Well, the USA does not equal New York (which I can't say many good things
about). If you avoid cities with populations with over 1 million you run
into some really nice people.
Would it make you happy, Kurt, to hear that Canadians are generally
really nice too? There's really not much of a difference from a Canadian
and an American.
> nope... first you're assuming that the information on how to do what you
> describe, you can't really know they didn't come up with it
> independantly...
>
> second, learning from viruses is still academic... one may be able to put
> the information to later practical use or one may not...
Excuse me?!?
The telephone could have been invented independantly (in fact it was),
but the one who gets credit for it is Alexander Grahm Bell.
Anyone COULD have invented it, but only one person did. The fact that
someone could be re-inventing the wheel is irrelevant.
(Now with that said, juding from the number of things that were done in
that compression engine that looked virulent, it is highly unlikely that
the author of it was completely unaware of viruses.)
And about the acedemic thing, yes it is, but most inventions are like
that. Someone first figures out how to do something on paper than
actually does it. Consequently the invention is created when you put it
on paper, not when you put it together. Since the invention is
practical, the "acedemic" paper is now practical.
> not to put too fine a point on it, but not all source code is
> correct... at least not in the comp.sci. sense of the word...
>
> further, virus source code is more likely to contain bugs than a
> self-correcting source code medium like 80XXX in fidonet...
Oh, no doubt about it. Some code out there is crap. It's the ones that
aren't that are the interesting ones. But to have good code available,
there has to be certain percentage of crap out there.
> > Thus people often are looking
> > for information when they want the source.
>
> some... and some of those are looking for information on how to wreak
> their own brand of havoc on the world... the malicious writers of
> tomorrow...
You know, I think this is where the main differnece of our perspectives
lies.
The vX community (some excpetions of course - like in any large group),
from what I can tell, is not the stereotypical "evil menace intent solely
on world domination".
Most seem to be in it to learn how to write one - which is not a bad
thing. Some give the source to their friends or publish in zines- also
not an entirely bad thing. The problem of course starts when some of
them decide to see how far one of their creations can get. Very rarely
does the idea of "wreaking their own brand of havoc" come into play at
all, however.
> never said their weren't valid uses (i think i made this clear before),
> only that there were no good practical uses...
Practical use:
Gets ideas out there which can be used by other programs (As witnessed by
the example I gave).
> > a jumper cable
> > boost, or use of their time.
>
> neither of those have monetary cost, however there is also no exchange of
> artifacts involved (artifact = man made thing)... with no exchange of
> artifacts, theres no risk that the exchanged artifact could be misused to
> hurt others...
As a Canadian you should know that boosting someones car does not exactly
do a great service to your own battery. Thus you are depriciating your
battery. And remember: time is money.
> if you're not asking for help, why would they be asking for id or any
> other kind of certification? who does that sort of thing without
> prompting?
This example was about what could happen IF everybody had zero trust for
everyone and tried to have a situation where nothing bad could happen (in
this example installing a car bomb). Thus, passerbys would have to stop
you, get your registration and ID, and make sure you were tinkering with
your own car.
The fact that this doesn't happen is a good thing, but you're no longer
safe from car bombs :)
(read back the thread if want to see how this came about [my first post
in it I believe started it])
> > Or my Great Grand-Aunt's, sister-in-law's, step-son's, niece's dog.
> > We all know the risks of getting files from the net.
>
> fact of the matter is that while you and i do, not everyone does...
For those that don't know the risks, they could be even more negligent
that and vX site in that case, maybe?
> > One can't make
> > the risk 0, and trying to even get close to 0, often results in more
> > freedom loss than the security you gain is worth.
>
> well, since i'm not trying to infringe upon freedoms, nor am i suggesting
> anyone else do so the point is moot and the drive to approach near zero
> risk can procede unfettered...
Freedom is not just a concept, its also a feeling.
I don't know exactly how to describe it, but it's a feeling of "I could
if I wanted to" (of course knowing that if it's something bad, there are
reprocussions).
The drive for security directly and actively destroys this.
You can't be free to do good, if you're not free to do wrong.
> > The thing that botheres me about your example is that you
> > automatically seem to imply the equation of:
> > put viruses on web site == people get infected.
>
> then you're not thinking creatively enough see above (many paragraphs
> above)...
Not quite. My problem is that you see:
put viruses on site == people infected
I see:
viruses which infect someone are a small subset of the total viruses
downloaded from the website.
kurt wismer
> kurt wismer wrote:
> > > > > Virus scanners can't keep up
> > > > > as it is.
> > > >
> > > > in what sense can scanners not keep up?
> > >
> > > In the sense that a virus spreads before virus scanners become
> able to
> > > find and kill it.
> >
> > that's not always true,
>
> But it is in certain cases.
oh, woe is me... scanners aren't perfect...
> But I would assume that the source code
> wouldn't actually be of that much use to AV authors - they just need
> to recognise the compiled virus.
more accurately, source code is pretty much useless to av authors as
different assemblers/compilers will produce slightly different binaries
and they're in the business of detecting what poses a threat to people,
not what they can generate in their labs...
> > but for those cases where it is true, that is why
> > there are other forms of anti-virus technology besides scanners...
> >
> > i certainly never said scanners are the be all and end all to
> anti-virus
> > security...
>
> Yes, but they are the most common.
and for good reason... most viruses are known, most viruses in the wild
are known... scanners are the most effective *preventative* measure there
is... when it comes to detecting things after they've had their way with
your system, however, integrity checkers win for the most part (office
documents are problematic, but it's not infeasible to perform integrity
checking on the data sections of an office document)...
kurt wismer
> kurt wismer said some stuff about
>
> >a) nobody is being penalized - have you even bothered to look back in
> >dejanews to find out what exactly the alternative i propose is? i know you
> >certainly haven't asked me what it is...
>
> I responded to what you wrote. You did not bother to tell me that
> there was any error in what I stated regarding anything I might
> have misconstrued. Instead, you responded as if I had not.
it didn't become clear that you had misconstrued things until the article
to which i replied...
> >b) you're completely ignoring the spectrum of non-direct
> >responsibility...
>
> No. I just think that it's obvious that you can't force people to
> be responsible.
you're right, that much is obvious... that's why i try to persuade,
rather than force...
> Someone that has lost all of the data on their disk
> from a virus is more likely to be careful with disseminating informa-
> tion without any encouragement. The person that never has encountered
> one is unlikely to be persuaded and possibly even encouraged to
> be malicious by virtue of considering themselves immune. Perhaps
> such a person would better be persuaded by personal experience.
i have no personal experience to share... i've been virus aware since the
beginning and have never been infected... (admittedly that makes me a bit
of an odd-ball)
as such i can't make use of such experience for the purpose of
persuasion...
[snip]
> >the information you reference all has good practical uses... viruses do
> >not have a good practical use, they have a good academic use, but their
> >only practical use is as a weapon...
>
> An academic use is a practical use.
that is a contradiction in terms... academic means "without any practical
use or purpose"..
> It would not be hard to come up
> with a biological simulation that might be easily done by writing
> writing competing programs with various capabilities. It might be
> simpler to have it reproduce and see the result than write a self
> contained program to keep score.
do a web search on tierra and you'll find something very much like
this... but self-replicating code in toy environments (any responsible
researcher would insist on such a safety precaution) cannot be a "real
virus" as it cannot infect and spread on any real world general purpose
computing platform...
> Computational experiments are becoming
> more common with the arrival of cheap memory and disk space. Monte
> carlo has been around for a long time for example, and was never
> all that useful until systems were capable of carrying out 100,000,000
> or so "experiments". In terms of memory, it may be ineffiecient,
> but it finishes running in this lifetime.
the last line is completely dependant on the complexity of the problem the
experiment hopes to solve...
> >giving up my code? what are you talking about?
>
> I just assumed that controlling something meant not everybody had
> an opportunity to obtain it from others based upon mutual consent.
> If a third, non-involved, party decides, than why would you have
> any reason to be among the people that should have access?
ah, you *assume*d... you assumed i was talking about centralized
controlls... i'm not... each person controlls what is in their
possession...
[snip]
> >> You aren't considering an academic career, I take it? >
>
> >no, what does that have to do with anything?
> >
> Usually, one needs to recognize they dont know enough to be so
> certain that something is useless rather than something having
> no use that has yet been found.
is this in relation to my statement that there is no good practical use
for viruses?
if so i would point out that practical uses aren't the only kinds of uses,
and also that good uses aren't the only kinds of uses... ergo i never said
viruses were useless...
[snip]
> >i'm not talking about treating anyone as a criminal or punishing
> >anyone... please do not assume my intentions, you'll only make an ass out
> >of u and me... do caro members treat the people with whom they exchange
>
> You have done nothing until this point to give me any reason to
> believe your goal shouldn't be enforcing your objectives rather
> than voluntary compliance.
in other words your assuming my objectives are something they aren't... i
may not have done anything to contradict such a hypothesis, but i also
have done nothing to support such a hypothesis...
> >viruses as criminals? no, of course not... do they punish them? no of
> >course not... i'm asking nothing more of the vx than i expect from caro...
>
> And what is their criteria for dissemination? I would guess there
> is not much voluntariness involved. To be a member and receive
> the same information they have, I would guess you have to agree
> not to let unapproved individuals have access to what they provide.
not quite... to be a member they all have to trust you... implicit in that
is that they have to trust your judgement as to whom you share samples
with... individual members of caro do share samples with non-caro members
from time to time (perhaps more often than that)...
[snip]
> Also, before blaming the availability of source code on the
> prevalence of viruses, you might consider the possibility that
> there are people with a hell of a lot to gain that will always
> have access. Go look at the sales of anti-virus software or
> microsoft products and ask yourself why microsoft didn't bother
> doing something back in 1985 when the 386 offered them a way
> to at least minimize the problem by actually using protected
> mode for something. Even after they figured out it existed, they've
> contiued to create software that encourages behavious that
> defeats its purpose. If you think for a second that a few
> billion dollars a year doesnt provide incentive to find as
> many creative ways as possile to make another billion, think
> again. If you want to point a finger at the most responsible
> party, poit at microsoft, who believes telling people they're
> doing something provides a better margin than actually doing
> it.
blame microsoft for what? not fixing the problem? for not making it
impossible for viruses to spread? for providing the main target platforms?
get real... dos/win/office are the main target platforms because they are
the most accessible and have the largest market share globally... they are
not at fault for the spread of viruses, their success just happens to make
them the best target...
it's not like you can make a general purpose computing platform that's
immune, protected mode would only have stopped some of the existing
viruses...
[snip]
> >i'm not trying to decide for anyone else... please remove your head from
> >your rectum... i cannot make decisions for other people, i can only try to
> >influence their own decisions... the purpose of the prosaic form is the
> >persuade the audience...
> >
> Maybe that effort would be better spent having software vendors pull
> their heads from their rectums and simply write code which doesnt
> do things like execute email, need to write in system directories,
> reequire hardware access, or in short, shout "infect me, my author
> is stupid and the person using me is stupider".
you seem to think it's possible to write an operating system that would
make viruses impossible and yet still retain general purpose utility - the
fact is that it is theoretically impossible to do so... i could try and
get software vendors to write software differently, but it wouldn't stop
the platforms from being infectible and it wouldn't stop virus writers
from writing viruses to infect them... ergo, what would i really
accomplish?
[snip]
> >and i'm only asking that people take more care in controlling the
> >information in their possession, so why are you crying fascist so loudly?
> >
> Why didn't you mention it the first time?
*i* didn't... i mentioned hypocrisy... you were the first to mention
fascism...
[snip]
> >the lack of enthusiasm suggests that many people agree with nick
> >fitzgerald that you're all lost causes...
> >
>
> Since I am frequenting the group mainly to see if anyone has an answer
> to a question I posted that contains no request for code of any sort
> other than the knowledge of it ever having been givem any thought and
> what the result was, I don't think "you're" applies.
your support of open virus exchange basically makes you vx... you may not
be practicing those acts which you've been showing support for, but
support alone is enough...
> Personally, I
> expected a little more curiosity in the subject than I see, which is
> a lot of people begging for code and then arguments over whether they
> should get it rather than much in the way of discussion of snippets
> of original work to shame the vendors into at least not providing
> a hospitable environement.
completely inhospitable environments would be practically useless in the
real world... don't hold your breath waiting for one...
> There's no excuse for being able to write
> viruses with the macro language of something that one uses to write
> documents, for example. Why don't you harp on that?
why harp on something that isn't the problem... i may not think highly of
a burglary victim who leaves their doors unlocked but i'm not going to
blame the burglary on them... the existence of security holes does not
justify the spreading of viruses...
furthermore, i'm not against writing viruses... people can write viruses
till they're blue in the face for all i care so long as they keep them to
themselves...
> Instead of simply
> arguing over who gives whom what, why don't people post ideas for
> potential NEW mechanisms? Anyone that understands the idea that doesn't
> exist as a working example won't need code anyway, so you wont need
> to bicker over giving awy something that doesn't exist. Anyone that
> can't figure out bits and pieces probably won't benefit any more
> from a working example, but at least you won't be focussed on who
> does what with yesterday's code.
probably because that doesn't really help people 'learn'... i wouldn't
mind it if that were what were going on instead of virus trading, but i
don't think i can reasonably expect it to happen...
muytech
THANKS IN ADVANCE!
"John Ievins" <thegr...@thegrendel.freeserve.co.uk> wrote in message
news:8dkrkk$due$7...@uranium.btinternet.com...
> kurt wismer wrote:
> > > > > Virus scanners can't keep up
> > > > > as it is.
> > > >
> > > > in what sense can scanners not keep up?
> > >
> > > In the sense that a virus spreads before virus scanners become
> able to
> > > find and kill it.
> >
> > that's not always true,
>
> wouldn't actually be of that much use to AV authors - they just need
> to recognise the compiled virus.
>
> > there are other forms of anti-virus technology besides scanners...
> >
> > i certainly never said scanners are the be all and end all to
> anti-virus
> > security...
>
> Yes, but they are the most common.
9bit
compiler, so what makes this virusing thing so tragic to some people?
Now, I've read/heard of people that died for misuse of guns, stones,
bottles, tables, cars, ropes, wires, medicines, alcohol (not speaking
about getting drunk), rat poison and just about anything, but I've
never in my life heard of anyone being killed with a compiller.
"kurt wismer" <g9k...@cdf.toronto.edu> wrote in message
news:Pine.SOL.4.21.00042...@eddie.cdf...
Nick FitzGerald
<<snip>>
> ... From the end-user's point
> of view not much will change, except that things will get faster,
> more automatic, and probably more reliable. ...
Does that mean we will see no more of those stupid "Thank-
you for your submission -- the file does not contain a
virus" replies from the front-end processor?
You know -- the ones that actually mean "our current
(possibly not released to the public) DEfs do not detect a
known virus. Some intelligent (automated and/or human)
analysis will now be thrown at the file in case it is an
unknown virus".
Inquiring minds need to know... 8-)
--
Nick FitzGerald
kurt wismer
> I NEED A NASTY VIRUS! HOPE YOU GOT ONE! PLEASE SEND TO ME IN AN ATTACHMENT!
> THANKS IN ADVANCE!
please don't troll for viruses here, it encourages the uncontrolled
distribution of viruses and that enables people to spread them
maliciously...
if you must look at viruses, get them privately from someone who knows and
trusts you not to do anything stupid or malicious with them, not
publically from a bunch of strangers...
and for crying out loud, don't cross post your virus trolls...
kurt wismer
> Excuse me ya'all, But I know of nobody that has died for misuse of a
> compiler, so what makes this virusing thing so tragic to some people?
>
> Now, I've read/heard of people that died for misuse of guns, stones,
> bottles, tables, cars, ropes, wires, medicines, alcohol (not speaking
> about getting drunk), rat poison and just about anything, but I've
> never in my life heard of anyone being killed with a compiller.
people dieing is not the only bad thing that can happen in the world, you
know... just because it doesn't cause death, doesn't mean it's ok...
[snip my entire message]
and could you please quote selectively in future... there is no reason to
quote material you aren't directly replying to...
Cyclone
> >The problem with the "vX folk" is that it is a very transient and
> >scattered group. Most often people "join", learn how to write viruses,
> >then leave. The problem is how to get to "know" the new people.
>
> would be simply not to send viruses to people that you know will post
> them publicly. That would go a long way in reducing the availability of
> viruses to people that would intentionally infect systems.
That's my point. How do you KNOW, that you admit is hard to know due to
how new "aspiring" vXers are appearing all the time, that they won't post
code publically. You don't, so as a consequence they wont get code, will
they?
> >To get to be on trustworthy terms with vX (enough to get code anyways),
> >you need to be informed of how viruses work at the very least.
>
> Hogwash. I include Vx web pages as part of the "Vx community". It's
> easy to get code from those sites.
I was refering to people, not web pages.
Cyclone
I'll cut out the things I mostly agree with.
kurt wismer wrote:
> sorta depends on the person and/or the drink... i suppose if they were
> drinking american beer they'd die of old age before they got a lethal
> dose..:-)
> i do... there are plenty of people who pay no mind to warnings on
> websites, they just click on through to the 'good stuff'...
True, but then those people are breaking the rules twice - when they
spread it, and when they download it. Thus, in some sense, the site is a
tertiary source.
> > For example the two posts:
> > "Could I get the source to the routine to get into ring0 from the CIH
> > virus from someone, please?" and "I need that BIOS killing virii!"
> > There are queues to pick up on.
> > Yet I don't see giving a nod to either when it happens.
>
> those aren't reliable indicators of intent or competence... smelling of
> booze, along with an unsteady walk is a fairly good indicator of
> drunkeness...
No they are not reliable, but neither is smell, if someone's wearing a
strong perfume or cologne. And, of course, if they claim that they
walked to the store from a party, they could persuade the clerk to sell
anyways. One can always lie - but then whose fault are the consequences?
(not the person who was lied to IMO)
> well, if people are looking for 'feel-good' experiences they should stick
> with their existing friends... frankly when someone sends me an email
> asking for a virus (and they do) the "am i going to make him feel bad if i
> say no" question is not the foremost thing on my mind...
I didn't mean to imply it should be foremost on your mind. I'm just
pointing out, that if you choose to reply in the affirmative, then you'll
probably make his/her day (since the person was more or less expecting
to be ignored by 99.9% of the people reading). The reason it would make
them feel good is because they think "someone trusts me enough and wants
to help me".
Generally speaking, people helping out people makes the people who
recieved the help, want to help too. This tends to make the world a
little more pleasant place to live. Now if this logic extends to
viruses, is a topic of debate that I don't want to get into this much.
> point of fact, i'm not suggesting anything like that for virus sharing
> either... liquor store attendants also don't perform blood tests or rectal
> probes...
They also don't write down names of customers so that potentially later
they could give the list to police after a DUI incident. Which is what
the "passwords, encryption, etc, etc" you suggest is.
> > So a car salesman should be tried for negligence when a car he sold
> > breaks down?
>
> no, the salesman isn't responsible for the car, the dealership is...
But EVERY car breaks down eventually! Don't you think this would bog
down the courts a little?
> > If someone has an accident in it?
>
> if the salesman didn't check to see that the purchaser was licenced,
> maybe...
They don't check if you have a license, if I remember correctly.
> are you unfamiliar with the term "due care"... it means taking reasonable
> measures, not herculean measures, just reasonable ones... liquor store
> attendants take reasonable measures, car salesmen take reasonable
> measures.. vx websites take no measures, at least none that actually do
> anything (like a malicious spreader is going to see a "for educational
> purposes only" sign and say 'gee, guess i'll have to go elsewhere')...
Strange, I've never seen a car salesman refuse to sell someone a car :)
(Providing the financial side did not stand in the way)
> says who? the above is your bias talking... you can't envision how new
> people could become trusted, and yet caro (which is actually stricter than
> what i'm suggesting as it requires all members to trust the initiate
> before the initiate can become a member) is a growing group of
> people... new people become trusted by many, what i am suggesting only
> requires one to become trusted by a few or even a single person in
> order to get viruses from those few or that single person...
Maybe it's just me, but I find it difficult to trust someone I've never
met soley by email correspondence.
> hmmm.. i must be using a no tears newsreader...
Time to upgrade ;-)
> web of trust doesn't work for centralized or semi-centralized
> distribution... though i imagine back in the days of prohibition webs of
> trust could have helped rum runners stay out of jail...
So someone should never shop for booze, outside of the one store that
knows him? And if recommendations were allowed from other stores to
bypass the problem, then I think we can both see that trafficing in
recommendations would lead to a reevaluation of the system, which would
most likely lead to a complete crack-down on booze/viruses.
> symbolically, yes it matters... we're talking about trust, after
> all... you may not want to sign each and every message with your real name
> but it sure doesn't indicate a great deal of trust if two people don't
> even know each other's real name...
True, True, but since on the net most vXers go and stick with their
alias, it may as well be a real name for all anyone cares. In this case,
the alias serves no purpose of hiding identity, for that is the name
everyone knows them by.
> well, i'd be happier if you made sure they were responsible with who they
> gave viruses to aswell...
Well, you can never be sure of that if you aren't planning on keeping
them totally for yourself. I can put your mind at ease, that I believe
(about 97% sure) that those people (there's only about 2) didn't give it
to anyone who wanted to use it maliciously.
> > Would it make you happy, Kurt, to hear that Canadians are generally
> > really nice too? There's really not much of a difference from a Canadian
> > and an American.
>
> except for the lower homicide rate up here...
I think the stats are skewed a bit due to New York, LA, Phillidephia, etc
- at least partly.
> we aren't talking about inventions here... inventing something means you
> got there first, i didn't say the programmer got their before the virus
> writers, only that he could have gotten where he did without the aid of
> anything made by a virus writers...
Ok. That's possible. Given the amount of things though, I think it's
highly unlikely - but possible.
> it is rather unlikely that any programmer is *completely* unaware of
> viruses... awareness != having looked at the code, however...
These were a lot of little details that were used. I really find it hard
to believe that some understanding was not gained from looking at virus
related material (maybe not full source, but tutorials or something).
> > Oh, no doubt about it. Some code out there is crap. It's the ones that
> > aren't that are the interesting ones.
>
> and how is someone learning supposed to differentiate between the two?
By looking at the code and judging it yourself, ultimately.
Recommendations which code to look at doesn't hurt. If you know how to
program though, bugs are not too hard to spot when looking at code.
> > But to have good code available,
> > there has to be certain percentage of crap out there.
>
> i'm not sure that's really true...
Why so?
It's just like with anything - there's good books and bad ones, good
foods and bad foods, well-written viruses and poorly wriotten ones. You
can never have one without the other. One has to learn to accept the
trash to have the good stuff.
> i know that... you're mostly benign people, but not very responsible in
> the grand scheme of things...
some are some aren't.
> > Some give the source to their friends or publish in zines- also
> > not an entirely bad thing.
>
> not *entirely*, no... they do at least learn about peer review that way,
> though publishing viruses is about on par with making them available on a
> website...
True, true. If published as source code only, it's not even as big a
risk as you might think. Most of the malicious spreaders are too
lazy/stupid to compile them!
> not by the time they've learned to write one, no, but i've encountered a
> number who weren't quite so mature in the virus writing chain of evolution
> who were equally immature in the more mainstream context...
Those are usually the poor fools that don't know how to write one (and
usually not interested in learning either). Needless to say, those
individuals don't get much respect from either vX or AV.
> i really think we're into a semantic debate over the meaning of practical,
> here...
Most probably. So we'll leave it at that.
> > For those that don't know the risks, they could be even more negligent
> > that and vX site in that case, maybe?
>
> no, you can't reasonably expect people to know everything...
I wish the law took the same stance, with the law books being as thick as
they are.
> > Freedom is not just a concept, its also a feeling.
> > I don't know exactly how to describe it, but it's a feeling of "I could
> > if I wanted to" (of course knowing that if it's something bad, there are
> > reprocussions).
> > The drive for security directly and actively destroys this.
> > You can't be free to do good, if you're not free to do wrong.
>
> you're not exactly free to do wrong in this context though... you only
> have as much power as the person who shared the virus gave you... that
> person is not the government and is not obligated to give you anything...
True - Not obliged to give you anything.
If you choose to give something to someone however, you should be free to
do so, providing that you are not knowingly helping that particular
individual do something bad.
If your giving out code in good faith for educational purposes, the
person who downloads it with evil intent is decieving you, and thus he
alone is responsible for the consequences. At least that's how I see it
- I know you disagree a bit with me there.
> and if you want to get down to the brass tacks, the cost of freedom is
> eternal vigilance... i'd like to see people pay for what they use...
Did I ever say word one about not catching the people who spread viruses
maliciously? I don't think so! Infact, I said quite the opposite -
catch them INSTEAD of the vX sites.
Cyclone
9bit
> people dieing is not the only bad thing that can happen in the world, you
> know... just because it doesn't cause death, doesn't mean it's ok...
Well, that's right, but I don't see you complaining about people having
access to hammers or any other real deadly weapon. And I haven't heard
of a virus even barely treatening people's health. What's the worst
thing a virus has ever done? Ignoring well deserved fools who run things
that scream in all directions that they are a virus. If possible, direct
me to some official reports or something like that.
John Ievins
> I NEED A NASTY VIRUS! HOPE YOU GOT ONE! PLEASE SEND TO ME IN AN
ATTACHMENT!
> THANKS IN ADVANCE!
*the floor begins to waste away due to the amount of rolling around on
it which John has been doing while laughing*
Bart Bailey
> On Fri, 21 Apr 2000 02:10:40 -0400, "9bit" <%0D%0...@tecel.net.ve>
> wrote:
>
> >Excuse me ya'all, But I know of nobody that has died for misuse of a
> >compiler, so what makes this virusing thing so tragic to some people?
> >
> It is possible. Most hospitals have automated many monitoring and
> other devices and theses are sometimes linked to the various
> departments via network. This permits attending physicians to have
> immediate access to various medical devices that are often controlled
> or accessed by being linked to normal PCs.
Unlike some bio-viruses, cyber-viruses don't have an airborne vector.
Putting some air between mission critical systems and any possible sources
of contamination should work fine. IOW don't expose your sensitive
databases to the internet or the capricious activities of untrusted
individuals. I've read your harangue against VXers before and the risks to
your cancer research and wondered how someone with your demonstrated
intelligence and responsibility would ever jeopardize such valued data by
exposing it to malicious code. You don't surf the 29a site from work do
you? ;-)
PaX
have an airborne vector.
Putting some air between mission critical systems and any possible sources
of contamination should work fine. IOW don't expose your sensitive
databases to the internet or the capricious activities of untrusted
individuals. I've read your harangue against VXers before and the risks to
your cancer research and wondered how someone with your demonstrated
intelligence and responsibility would ever jeopardize such valued data by
exposing it to malicious code. You don't surf the 29a site from work do
you? ;-)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Okies just a few points,
Sometimes putting space between viruses
and p[ossible critical files is not always possible in many areas and I
would thik that this applies to the medical system too.
Im sure that as a doctor Costas knows full well the implications of exposing
critical files to any risk and as the MD on his signature shows he is quite
obviously not a fool.
Similar to many large companies the health service do not tend to employ
fools..
PS:29a dont have any binaries on their site as is Coderz.net policy..
best wishes Dalt
kurt wismer
> George Wenzel wrote:
> > >The problem with the "vX folk" is that it is a very transient and
> > >scattered group. Most often people "join", learn how to write viruses,
> > >then leave. The problem is how to get to "know" the new people.
> >
> > Very true; at the very least, I think a good harm-reduction measure
> > would be simply not to send viruses to people that you know will post
> > them publicly. That would go a long way in reducing the availability of
> > viruses to people that would intentionally infect systems.
>
> That's my point. How do you KNOW, that you admit is hard to know due to
> how new "aspiring" vXers are appearing all the time, that they won't post
> code publically. You don't, so as a consequence they wont get code, will
> they?
not immediately, no... patience is a virtue...
> > >To get to be on trustworthy terms with vX (enough to get code anyways),
> > >you need to be informed of how viruses work at the very least.
> >
> > Hogwash. I include Vx web pages as part of the "Vx community". It's
> > easy to get code from those sites.
>
> I was refering to people, not web pages.
it's people who put up web pages...
kurt wismer
> kurt wismer wrote:
> > people dieing is not the only bad thing that can happen in the world, you
> > know... just because it doesn't cause death, doesn't mean it's ok...
>
> Well, that's right, but I don't see you complaining about people having
> access to hammers or any other real deadly weapon. And I haven't heard
this is alt.comp.virus, not alt.hammer, and not alt.deadly.weapon...
> of a virus even barely treatening people's health. What's the worst
> thing a virus has ever done? Ignoring well deserved fools who run things
> that scream in all directions that they are a virus. If possible, direct
> me to some official reports or something like that.
the worst that can happen is that someone who had a functioning computer
no longer has one... someone who had access to the information one needs a
computer for no longer has access... someone who could talk to the only
family they had left half-way across the world can no longer do so as
affordably or in the same way...
peoples lives are hard enough as it is, we don't need viruses on the
loose making life harder...
kurt wismer
> OK, let's trim this post down a bit.
> I'll cut out the things I mostly agree with.
fine by me... makes for quicker responses...
> kurt wismer wrote:
> > sorta depends on the person and/or the drink... i suppose if they were
> > drinking american beer they'd die of old age before they got a lethal
> > dose..:-)
>
> > i do... there are plenty of people who pay no mind to warnings on
> > websites, they just click on through to the 'good stuff'...
>
> True, but then those people are breaking the rules twice - when they
> spread it, and when they download it. Thus, in some sense, the site is a
> tertiary source.
yes, they break rules, all the more reason why those rules should be
enforced...
> > > For example the two posts:
> > > "Could I get the source to the routine to get into ring0 from the CIH
> > > virus from someone, please?" and "I need that BIOS killing virii!"
> > > There are queues to pick up on.
> > > Yet I don't see giving a nod to either when it happens.
> >
> > those aren't reliable indicators of intent or competence... smelling of
> > booze, along with an unsteady walk is a fairly good indicator of
> > drunkeness...
>
> No they are not reliable, but neither is smell, if someone's wearing a
> strong perfume or cologne.
i gather you're not all that familiar with alcoholics... booze and cologne
do not smell alike...
> And, of course, if they claim that they
> walked to the store from a party, they could persuade the clerk to sell
> anyways.
i think you miss the point... they aren't supposed to sell to drunks
whether the drunks drove there, walked there, crawled there, or were
carried on flying pink elephants...
> One can always lie - but then whose fault are the consequences?
> (not the person who was lied to IMO)
not if they took reasonable measures, but the people who put up vx
websites generally take no measures to enforce their rules...
> > well, if people are looking for 'feel-good' experiences they should stick
> > with their existing friends... frankly when someone sends me an email
> > asking for a virus (and they do) the "am i going to make him feel bad if i
> > say no" question is not the foremost thing on my mind...
>
> I didn't mean to imply it should be foremost on your mind. I'm just
> pointing out, that if you choose to reply in the affirmative, then you'll
> probably make his/her day (since the person was more or less expecting
> to be ignored by 99.9% of the people reading).
if the person is expecting to be ignored then the person recognizes that
there is good reason to be ignored...
> The reason it would make
> them feel good is because they think "someone trusts me enough and wants
> to help me".
i fully recognize why it makes them feel good, i just don't see what
making someone you don't know that well feel good has to do with
anything... you can help them in other ways, you can help them gain
competence in other ways, you can help them earn your trust by pointing
them in the right contructive direction... and by doing so you can help
the person gain trust of others aswell, because they learn what it takes
to be trustworthy... s/he becomes a better person...
> Generally speaking, people helping out people makes the people who
> recieved the help, want to help too. This tends to make the world a
> little more pleasant place to live. Now if this logic extends to
> viruses, is a topic of debate that I don't want to get into this much.
i'm sure it does extend to viruses... but viruses are a special case where
the abuse of that initial generosity can ultimately lead many people
getting hurt... helping is good, but helping in the most simplistic means
available is not always the most appropriate or helpful thing to do...
> > point of fact, i'm not suggesting anything like that for virus sharing
> > either... liquor store attendants also don't perform blood tests or rectal
> > probes...
>
> They also don't write down names of customers so that potentially later
> they could give the list to police after a DUI incident. Which is what
> the "passwords, encryption, etc, etc" you suggest is.
no it isn't... i'm talking about encrypting the samples and only giving
select people the decryption key... similar thing with the passwords...
> > > So a car salesman should be tried for negligence when a car he sold
> > > breaks down?
> >
> > no, the salesman isn't responsible for the car, the dealership is...
>
> But EVERY car breaks down eventually! Don't you think this would bog
> down the courts a little?
if you continued reading a little further you'd have noticed that i
explained "due care"... the dealership only has to take due care that the
car doesn't break down under reasonable usage circumstances...
> > > If someone has an accident in it?
> >
> > if the salesman didn't check to see that the purchaser was licenced,
> > maybe...
>
> They don't check if you have a license, if I remember correctly.
you mean they let unlicenced drivers test drive vehicles? that's a lawsuit
waiting to happen...
> > are you unfamiliar with the term "due care"... it means taking reasonable
> > measures, not herculean measures, just reasonable ones... liquor store
> > attendants take reasonable measures, car salesmen take reasonable
> > measures.. vx websites take no measures, at least none that actually do
> > anything (like a malicious spreader is going to see a "for educational
> > purposes only" sign and say 'gee, guess i'll have to go elsewhere')...
>
> Strange, I've never seen a car salesman refuse to sell someone a car :)
> (Providing the financial side did not stand in the way)
probably because unlicenced drivers tend not to try to buy cars... i can't
imagine how you register a vehicle to an unlicenced driver, though...
> > says who? the above is your bias talking... you can't envision how new
> > people could become trusted, and yet caro (which is actually stricter than
> > what i'm suggesting as it requires all members to trust the initiate
> > before the initiate can become a member) is a growing group of
> > people... new people become trusted by many, what i am suggesting only
> > requires one to become trusted by a few or even a single person in
> > order to get viruses from those few or that single person...
>
> Maybe it's just me, but I find it difficult to trust someone I've never
> met soley by email correspondence.
maybe email correspondance isn't enough for you then, perhaps you'd also
like to see how they relate to other people in public forums... (forums
specific to virus exchange i suspect)
[snip]
> > web of trust doesn't work for centralized or semi-centralized
> > distribution... though i imagine back in the days of prohibition webs of
> > trust could have helped rum runners stay out of jail...
>
> So someone should never shop for booze, outside of the one store that
> knows him?
??? huh? how did you arrive at this?
> And if recommendations were allowed from other stores to
> bypass the problem, then I think we can both see that trafficing in
> recommendations would lead to a reevaluation of the system, which would
> most likely lead to a complete crack-down on booze/viruses.
faulty logic... booze is distributed in a rather centralized manner,
viruses are not (at least not if you want to do it securely - you can't
really know hundreds of people well enough to trust them all)...
> > symbolically, yes it matters... we're talking about trust, after
> > all... you may not want to sign each and every message with your real name
> > but it sure doesn't indicate a great deal of trust if two people don't
> > even know each other's real name...
>
> True, True, but since on the net most vXers go and stick with their
> alias, it may as well be a real name for all anyone cares. In this case,
> the alias serves no purpose of hiding identity, for that is the name
> everyone knows them by.
reread the second sentence of what you quoted... we're talking about
trust... one of the ways to get people to trust you is to give them a
reason to trust you, to trust them with something - like your personal
details...
[snip]
> > > Would it make you happy, Kurt, to hear that Canadians are generally
> > > really nice too? There's really not much of a difference from a Canadian
> > > and an American.
> >
> > except for the lower homicide rate up here...
>
> I think the stats are skewed a bit due to New York, LA, Phillidephia, etc
> - at least partly.
what about toronto, montreal, or vancouver? it's the extreme places that
show the differences best...
[snip]
> > it is rather unlikely that any programmer is *completely* unaware of
> > viruses... awareness != having looked at the code, however...
>
> These were a lot of little details that were used. I really find it hard
> to believe that some understanding was not gained from looking at virus
> related material (maybe not full source, but tutorials or something).
maybe... i'd consider such materials much safer than full source or
binaries though... i don't really think they require the same kind of
trust... (can't speak to the amount of trust their distribution requires
though)
> > > Oh, no doubt about it. Some code out there is crap. It's the ones that
> > > aren't that are the interesting ones.
> >
> > and how is someone learning supposed to differentiate between the two?
>
> By looking at the code and judging it yourself, ultimately.
> Recommendations which code to look at doesn't hurt. If you know how to
> program though, bugs are not too hard to spot when looking at code.
you're putting the cart before the horse here... someone who is just
learning doesn't know how to program yet, at least not well, not in that
language...
yes, recommendations do help... and i'd recommend something other than
virus source code to someone trying to learn asm... ideally some forum
where they can get feedback from experts...
> > > But to have good code available,
> > > there has to be certain percentage of crap out there.
> >
> > i'm not sure that's really true...
>
> Why so?
just not sure, that's all... it's not like i have an opinion on
everything, y'know...
[snip]
> > > Some give the source to their friends or publish in zines- also
> > > not an entirely bad thing.
> >
> > not *entirely*, no... they do at least learn about peer review that way,
> > though publishing viruses is about on par with making them available on a
> > website...
>
> True, true. If published as source code only, it's not even as big a
> risk as you might think.
that's debatable... the risk of the virus getting turned into a binary may
be less, but the risk of that binary causing problems is greater due to
the fact that different assemblers/compilers(/command lines) produce
slightly different binaries (thus producing a new variant which may not
yet be detected by anti-virus products)...
> Most of the malicious spreaders are too
> lazy/stupid to compile them!
maybe... maybe not... the ones who put their hands up and say "here i am,
gimme a bad-ass virus" are probably not to bright in general but the
people who put their hands up and say anything are the minority in usenet
or most other forums...
> > not by the time they've learned to write one, no, but i've encountered a
> > number who weren't quite so mature in the virus writing chain of evolution
> > who were equally immature in the more mainstream context...
>
> Those are usually the poor fools that don't know how to write one (and
> usually not interested in learning either). Needless to say, those
> individuals don't get much respect from either vX or AV.
but that doesn't matter, the website will respect them...
> > > For those that don't know the risks, they could be even more negligent
> > > that and vX site in that case, maybe?
> >
> > no, you can't reasonably expect people to know everything...
>
> I wish the law took the same stance, with the law books being as thick as
> they are.
the law is charged with the responsibility of protecting people from each
other, expecting people to know the law (at least on a rudimentary
level) isn't that much to ask in comparison...
> > > Freedom is not just a concept, its also a feeling.
> > > I don't know exactly how to describe it, but it's a feeling of "I could
> > > if I wanted to" (of course knowing that if it's something bad, there are
> > > reprocussions).
> > > The drive for security directly and actively destroys this.
> > > You can't be free to do good, if you're not free to do wrong.
> >
> > you're not exactly free to do wrong in this context though... you only
> > have as much power as the person who shared the virus gave you... that
> > person is not the government and is not obligated to give you anything...
>
> True - Not obliged to give you anything.
> If you choose to give something to someone however, you should be free to
> do so, providing that you are not knowingly helping that particular
> individual do something bad.
and providing you take due care to avoid helping an unknown bad person...
> If your giving out code in good faith for educational purposes, the
> person who downloads it with evil intent is decieving you, and thus he
> alone is responsible for the consequences. At least that's how I see it
> - I know you disagree a bit with me there.
yes, i do disagree... i think the lack of due care makes one negligent,
good faith or no good faith...
> > and if you want to get down to the brass tacks, the cost of freedom is
> > eternal vigilance... i'd like to see people pay for what they use...
>
> Did I ever say word one about not catching the people who spread viruses
> maliciously? I don't think so! Infact, I said quite the opposite -
> catch them INSTEAD of the vX sites.
you misunderstand... the vx sites want freedom, they should pay the
price for that freedom...
Mohammed Lipschitz
Dr Costas Giannakenas MD wrote in message
<9ig0gsgdabrjao192...@4ax.com>...
>>compiler, so what makes this virusing thing so tragic to some people?
>>
>other devices and theses are sometimes linked to the various
>departments via network. This permits attending physicians to have
>immediate access to various medical devices that are often controlled
>or accessed by being linked to normal PCs.
>
>instantly - or progressively which is even worse as it may go
>unnoticed for a while. The resulting errors in the supposedly realtime
>data of the patients linked to these devices can mislead those
>monitoring them into unneccesary medical intervention or no action
>although such may be urgently needed.
>
>It is good to bear such possibilities in mind.....
How many people have died because they were under the care of an exhausted
young intern at the end of a 24
hour shift? I would be interested to see a scientific paper which did
compare the life-threatening risk of computer viruses in hospitals relative
to other risks, if you know of one.
9bit
news:MPG.136c34bb6...@news.edmonton.telusplanet.net...
> I think you miss the point. People don't want viruses on their
> computers. Viruses exist, and infect computers. That means viruses
> cause people problems.
That's what I am asking for, Tell me what's the worst thing a virus
has done. Again, ignoring well deserved victims.
> They force people to spend money on anti-virus
> products, which would be unnecessary if viruses didn't exist.
No, this makes money go back and forth, this indirectly helps economy.
I am reading very complex papers about this right now, if they're good
enough, they might be published within a few months.
> They
> require people to stop their everyday work so that they can remove
the
> virus infecting their system.
A virus at work? How did it get in to start with? How did it stay in
to continue with?
> They cause people to lose business
> relationships because they mistakenly send a virus to the associate.
Sending a virus to the associate? How?
If they trade warez with the associate they deserved it. If they
manufacture and sell software and it got infected they must be very
cheap progmen to start with. If it's a virus that spreads trough email
then they must have been reel dumb to get infected, and if they
noticed symptoms of a non stealthy virus and they didn't mind to get
it cleaned they also deserved to be executed under negligence charges.
> The list goes on and on. Something doesn't have to kill people to
be a
> "bad thing".
Please, give me just ONE, of the "on and on" cases that IS a real
tragedy. If possible, the most tragic you can find.
> Regards,
>
> George Wenzel
> --
> George Wenzel, B.A. (Criminology) E-Mail:
<gwe...@telusplanet.net>
> President & Webmaster, U of A Karate Club -
http://www.ualberta.ca/~karate/
Criminology?, Then I'm sure you would agree with me that almost
allways victims could have easily prevented whatever they are victims
of just by taking basic prevention measures.
PaX
allways victims could have easily prevented whatever they are victims
of just by taking basic prevention measures.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
ok I'll start with a more plesant explanation than I had first planned.
the response you came close to was a little more than a tyrade of
suggestions regarding your parentage
but I'll do the longer version.
A while ago here in the UK a man named Thomas Hamilton left his home armed
with a smith and wesson 686 .357 handgun.He turned up at the local school in
dumblane and entered the premises.Upon comming across the first of the
children in a classroom he opened fire...
I'll leave out the graphic details of what a .357 handgun does to the human
body but suffice to say it makes a mess you dont want to see twice in a
lifetime.16 children and their teacher later Hamilton turned the gun on
himself and ended the situation.
Well I had legitimate reason to be at the scene shortly afterwards because
of my job and I can assure you that the sight of childrens bodies torn apart
by handgun fire is not one that ever leaves you,neither is having to tell
the parents ,distraught with fear,that they cant go and see their children
that they have just lost,knowing full well that they would not recognise
what is left anyway.
Maybe you could explain to me what those innocent kids could have done to
stop the bullets??
Maybe you could tell the parents that they werent really "victims"
Maybe you could tell the parents that they werent really innocent??
Oh if you are thinking about giving me the newbie VX bullshit about "its the
dumb users fault" dont bother I wrote the book on excuses for writing
viruses.Ive been there,Ive done it,I still have the T-shirt so to speak.
So maybe you can tell me exactly what in this world is worth the life of ONE
child?just ONE..is there anything more important in this miserable life than
the life of only ONE child?Is the life of even ONE child worth all your
freedoms and MORE???.
Your response to George is typical of the newbie VXers im seeing around who
think that they represent some higher cyber warrior order or some other such
shit or that they are anti heroes that keep the AVers in buisness.Well your
comments may wash with some of the new kids and less than intelligent but do
yourself a favour and stay outta mainstream VX as im sure you will meet a
much more hostile response than you get here.
Dalton aka PaX
Bilge
>virus infecting their system. They cause people to lose business
>relationships because they mistakenly send a virus to the associate.
>
>The list goes on and on. Something doesn't have to kill people to be a
>"bad thing".
Perhaps using systems less prone to viruses would solve a good
bit if the problem. If people write viruses, vendors make money
selling poor software and the people that purchase the software
lose their asses, regardless of who is responsible, who is the
idiot?
Bilge
>Each time you are too ashamed of your own hypocrisy to leave in the
>definition of what you call fascism. I am restoring it again here:
>
Your point?
>
>In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
><ro...@radioactivex.lebesque-al.net> wrote
>>When restrictions are imposed upon information for the
>>sake of convenience at the expense of others, the majority of which
>>probably do not sit around an contemplate destroying the world, just to
>>stop (and not very successfully) a few, it's called fascism.
>
>>I do it
>> by making value judgements concerning what I own
>
>So you are imposing restrictions upon information for the sake of
>convenience
>
In true fascist form, you seem to think you own my property which
is why you think you should also be able to control it. Any information
I own is mine to do with as I see fit. It's fascism when I impose my
restrictions on anyone else. I'm not stopping you from posting whatever
you wish, including my credit card numbers, ssn, dl# or whatever
else you want. Go for it. I choose not to post it, but I'm not
stopping you. If I'm the only person with that infornation, well
that's news to me. I can think of any number of places that the
information exists. I'm not a fascist simply because you're too
stupid to locate the information. Forcing me to publish personal
data is just as fascist as preventing me from publishing it. In
both cases, ypu're telling me what to do with what doesnt belong
to you. I dont really expect it to sink in, but try re-reading it
once logic becomes an everyday habit.
>That is irrelevant to the fact that you are imposing restrictions on the
>information for the sake of convenience and at the expense of those who
>would study that information
>
I've posed no restrictions. Go find it and study it. Only your
own laziness is keeping ypu from obtaining the data you seek.
It's not my problem if your whims were catered to your entire life,
you want the data, deal with it. Then do as you please with it.
>
>You are both a fascist by your own definition and a hypocrite
I dont recall my definition saying anything about refusing to
help people to lazy and stupid to scam me without my help.
>
>No, you preach not imposing restrictions on information for the sake of
>convenience - let me remind you of your own words:
>
Again. What restrictions? Your restrictions are your own
limitations. I cant provide the gene therepy to boost your
IQ and motivation. If it's thaat interesting -- wail away fido.
>
>Yes you do. In accusing people of fascism because they do not support
>the uncontrolled distribution of malicious software, you are telling
>people what they can and cannot do
>
I dont care what they do withh what is theirs, only what they try to
do with what isn't. Of ccourse, being the fascist you seem, you cant
conceive of private ownership an the right to exert control over
only that which one owns.
>>
>So do you deny having written:
>
No, I dont. My assumption that nobody could be so stupid as to not
comprehend such a simple concept was obviously flawed though. Out of
anything I could have stated that there was to argue with, you managed
to miss anything but a sophomorish semantics tantrum. Live with it.
If you do find my credit card numbers, buy yourself a good dictionary.
>
>In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
><ro...@radioactivex.lebesque-al.net> wrote
>>When restrictions are imposed upon information for the
>>sake of convenience at the expense of others, the majority of which
>>probably do not sit around an contemplate destroying the world, just to
>>stop (and not very successfully) a few, it's called fascism.
>
>Because you are certainly contradicting yourself here
>--
>Robert
> I am not where I *can* see myself,
> Where I *can't* see myself, I *am*,
> I guess I'm virtually transparent ...
No. Your really transparent. Nothing virtual about it.
Randy Abrams
news:WW%M4.1806$ZL5...@news01.t-net.net.ve...
> "George Wenzel" <gwe...@telusplanet.net> wrote in message
> news:MPG.136c34bb6...@news.edmonton.telusplanet.net...
> > I think you miss the point. People don't want viruses on their
> > computers. Viruses exist, and infect computers. That means viruses
> > cause people problems.
>
> That's what I am asking for, Tell me what's the worst thing a virus
> has done. Again, ignoring well deserved victims.
The worst is going to depend on who you ask. Among the many things that
viruses do, they take time away from organizations, such as the make a wish
foundation, Junior Achievement, and a myriad of other people who must stop
helping people in order to clean up after the viruses.
> > They force people to spend money on anti-virus
> > products, which would be unnecessary if viruses didn't exist.
>
> No, this makes money go back and forth, this indirectly helps economy.
> I am reading very complex papers about this right now, if they're good
> enough, they might be published within a few months.
This is a tragically flawed argument. You assume that the money would not
have flowed otherwise. Since this is exceptionally unlikely to be the case,
it only changes the direction of the flow of money and you have not
presented any evidence that the money going to an anti-virus company is used
as well as the money going to a myriad of other uses. The fact is that
viruses force users to redirect money from uses they would prefer and this
is undeniably bad.
If you wish to continue down the economic path, however, then you would have
to buy the argument that the virus writers are spending time that they could
have used at work to earn more money, hence harming the economy with each
line of virus code they write. Of course this argument is as ridiculous as
the claim above, but oh well...
<snip>
Regards,
Randy
--
--
The opinions expressed in this message are my own personal views
and do not reflect the official views of the Microsoft Corporation.
Robert
<ro...@radioactivex.lebesque-al.net> wrote
>In true fascist form, you seem to think you own my property which
kurt wismer
> George Wenzel said some stuff about
>
> >virus infecting their system. They cause people to lose business
> >relationships because they mistakenly send a virus to the associate.
> >
> >The list goes on and on. Something doesn't have to kill people to be a
> >"bad thing".
>
> Perhaps using systems less prone to viruses would solve a good
> bit if the problem.
perhaps if we made air that bullets coundn't travel through, people
wouldn't die in wars...
ain't no such thing as 'less prone to viruses'... using less popular
systems has it's own set of problems, and if everyone did it then the
popularity rankings would change and virus writers would go after the new
platforms...
> If people write viruses, vendors make money
> selling poor software and the people that purchase the software
> lose their asses, regardless of who is responsible, who is the
> idiot?
the person who thinks idiocy is relevant, of course...
kurt wismer
> Robert said some stuff about
>
> >Each time you are too ashamed of your own hypocrisy to leave in the
> >definition of what you call fascism. I am restoring it again here:
> >
> Your point?
>
> >In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
> ><ro...@radioactivex.lebesque-al.net> wrote
> >>When restrictions are imposed upon information for the
> >>sake of convenience at the expense of others, the majority of which
> >>probably do not sit around an contemplate destroying the world, just to
> >>stop (and not very successfully) a few, it's called fascism.
> >
> >>I do it
> >> by making value judgements concerning what I own
> >
> >So you are imposing restrictions upon information for the sake of
> >convenience
> >
> In true fascist form, you seem to think you own my property which
> is why you think you should also be able to control it. Any information
> I own is mine to do with as I see fit. It's fascism when I impose my
> restrictions on anyone else.
this is all well and fine... you realize, though, that you just moved the
goal post... this is not the definition you used before, and it doesn't
have the same meaning as the one you used before...
Bilge
>Most people choose to use computer systems because they suit their needs
>and are easy to use. This is why Windows and Mac are the two most
>popular computing platforms.
>
It seems to me that a system which is prone to virus infection can
hardly meet anyones needs except in the most superficial sense of
the idea and is truly a poor long term decision. Fortunately
for the vendors, "long term" is not the way people think when
dangling a plastic carrot.
>Viruses can exist for ANY sufficiently complex computer system. Making
>a system less prone to viruses would also make it less user-friendly and
>less functional.
>
Some are less virus prone than others by virtue of the practices
that are encouraged. Microsoft should be congratulated for bringing
the urban legend of the good times virus to fruition through the
genius of executing email, and wasting bandwidth in the process
since the same information could have been typed out and sent
as ascii.
I will admit that a mac has some virtues for document preparation,
or at list did and will when display postscript comes out in the
next system. However, after using a mac, I found nothing that
was particularly user-friendly not to mention functionally constrained.
Heck, I can take the ancestor to windows NT, VMS and have a
more functional system. I once saw a VMS console frozen for
2 weeks because som many people were logged on remotely running
programs no one wanted it rebooted. While I'm sure a VMS
virus exists somewhere, I find it rather odd that a system
which was very secure devolved into NT which had naby
similar features, but microsoft encouraged insane behaviour
to make worthless.
I don't call poorly written software which is prone to
infection, user freindly. luser freindly maybe.
Bilge
>In article <slrn8g98o...@radioactivex.lebesque-al.net>, Bilge
><ro...@radioactivex.lebesque-al.net> wrote
>--
That was a real good rebuttal there, bobert. But, I dont see the problem,
since I straightened out your misconception. Isn't it enough to simply
not interfere with you plastering whatever personal informaation you want
-- of mine -- up for grabs? You cant seriously expect (well, maybe on
a good day you cant), me to simply walk up with a butler outfit and a
silver tray with my credit card numbers just because I'm broken up about
your opinion of me, can you? While your on a spree, add a copy of the
US Constitution to the dictionary. Try to see what the basic plot was
intended to do, like restrict governement. If this is representative
of the regular readers, I think I am unlikely to get an answer to
my post.
Bilge
>this is all well and fine... you realize, though, that you just moved the
>goal post... this is not the definition you used before, and it doesn't
>have the same meaning as the one you used before...
>
Excuse me? If you really equate imposing restrictions on what others
decide to do and not do with making a personal choice to do whatever
you see fit with your own property, you missed an civics class.
If you're from the us or familiar with it in any way, try the
1st amendment to the contitution. If you aren't from here, chances
are you'll find something similar in your own national policy.
If the 1st amendment to the US constitution is a problem for you,
well, there isn't much I can say that wasn't stated better than the
amendment.
Feel free to take my statement an create a suitable inference. If that
is the only point you can make, I have no problem with leaving you to
your red-herring. It's a bit hard to fathom why you chose to argue
a semantics point as the long suit of the argument you claim to be
so zealous about.
Bilge
>
>systems has it's own set of problems, and if everyone did it then the
>popularity rankings would change and virus writers would go after the new
>platforms...
>
makes it difficult to pracice security and encourages unconciousness
then you end up with virus prone systems (This only includes
NT, 98 and 95 are hopeless to secure). Aystem installs which
overwrite libraries at will, require writing in tmp files in
system sirectories by unprivileged users, are examples of complete
disregard for any principle related to secure computing. As far as
95 and 98 are concerned, those can still be hosed over a network
with old, cheap attacks. Why would you think what is less visible
get's more attention? Now go examine plan9. There is no account
with superuser status. There is no way for an administrator to even
read user files with dumping them to tape, so even during any
maintainence, it will be virtually impossible to infect anything
but your own files, and then not system files and the original
implementation didn't really set out to make security thee
priority. Then there is inferno. It does the java sandbox, but
better. Once again, it's difficult to wreck something if
any thought was given to how the system is used.
>> If people write viruses, vendors make money
>> selling poor software and the people that purchase the software
>> lose their asses, regardless of who is responsible, who is the
>> idiot?
>
>the person who thinks idiocy is relevant, of course...
You really want to state to the world that stupidity has no
bearing on infection? As an example, I never put a floppy
in my system that's ever been on another system. I throw
them away. My brother laughed at that about one week before
calling and asking how to disinfect his system after using
some disks to move some files to one of freind's systems
that I told him to toss. It think trading your hard drive
contents to save $0.50 is pretty stupid. Stupidity
is obviously relevant/
Robert
<ro...@radioactivex.lebesque-al.net> wrote
>Robert said some stuff about
>Re: From ANONYMOUS to usenet:
> >In article <slrn8g98o...@radioactivex.lebesque-al.net>, Bilge
> ><ro...@radioactivex.lebesque-al.net> wrote
> >>In true fascist form, you seem to think you own my property which
> >FOAD hypocrite
> >--
>
>
> That was a real good rebuttal there, bobert. But, I dont see the
>problem,
> since I straightened out your misconception.
You did no such thing. You accused me of being a fascist which your own
words prove you to be. You are a proven hypocrite and no amount of
wriggling will get you out of that.
You are the person who stated
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
And also who stated:
In article <slrn8frdk...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
> I take responsibility for my own security.
When asked to put that into practice by making available information
upon which you impose restrictions for the sake of convenience and at
the expense of others just to stop a few.
*You* defined that as fascism, not me
*You* are the hypocrite who doesn't act according to that which he
attempts to impose upon others, not me
*You* are the fascist by your own definition, not me
>Isn't it enough to simply
> not interfere with you plastering whatever personal informaation you
>want
> -- of mine -- up for grabs?
Once again you demonstrate that you do not believe your own words. What
was it you said about the intentions of the majority of people asking
for "information" in this group ? Here it is:
In article <slrn8fgdp...@radioactivex.lebesque-al.net>, Bilge
<ro...@radioactivex.lebesque-al.net> wrote
>When restrictions are imposed upon information for the
>sake of convenience at the expense of others, the majority of which
>probably do not sit around an contemplate destroying the world, just to
>stop (and not very successfully) a few, it's called fascism.
Now FOAD hypocrite
9bit
> <<scarry tale part>>
No, my statement was wrong, It didn't apply to criminal activity, I got
it wrong. I admit it. Don't hit me so hard.
> Oh if you are thinking about giving me the newbie VX bullshit about "its the
> dumb users fault" dont bother I wrote the book on excuses for writing
> viruses.Ive been there,Ive done it,I still have the T-shirt so to speak.
A T-Shirt? Wow!. No I am not a VX, I just like viruses because they're
out of the common scheeme of aplication sofware. I try and write some
sometimes (just sometimes, not very often and not all are completed, and
none are released/used), but that doesn't make me a VX does it? Immagine
how many VXs there would be then.
> Your response to George is typical of the newbie VXers im seeing around who
> think that they represent some higher cyber warrior order or some other such
> shit or that they are anti heroes that keep the AVers in buisness.
Hmmm... they DO keep AVers in business. But I don't think of myself as a
holy crusader or anything like that. I just enjoy the tricky works of
VXers, because of the trickiness, It's like the more complex manuevers
you do when you play chess, but on a more real scenario, a PC.
> Well your
> comments may wash with some of the new kids and less than intelligent but do
> yourself a favour and stay outta mainstream VX as im sure you will meet a
> much more hostile response than you get here.
Right, I am not justifying virusing, I think thats the idea you got, I
am just saying that I don't see why they (viruses) have to be seen as
such an horrible disaster. Many DO see the infection of a comp as a real
disaster, not that it's good but in the worst of cases it will cost...
How much?, 1K at worst? You tell how much has the worst of cases costed,
you have to know, just don't come up with a "billy infected #######
comps and the total cost of the HD space was $$$$$"
9bit
nowere, someone has to take them in, actually it has to be the user.
My question about the worst thing a virus has done happens to be a real
question you know? I don't know the answer you know? If you happen to
know of a case X in wich someone who's name doesn't matter couldn't X
because a virus did X, in a case in wich he had nothing to do with the
infection (kinda like his comp being sold to him infected or anything
not being his fault), please tell me. This is the last time I ask, all
I get is "bad things... ppls not being able to play quake..."
George Wenzel wrote:
> >If they
> >manufacture and sell software and it got infected they must be very
> >cheap progmen to start with.
>
> I think that Microsoft is a very cheap company, don't you? They're
> distributed infected disks on at least a couple of occasions.
Yes, MS is... crap!, that's the word. There's evidence of this. But
Windows is still a good choice because of the software other
manufacturers make, it's all made for windows (the best ones). And I'm
not interested in discussing wether or not MS is cheap, so don't start
with the earnings they get or the price of MS in the stock market. If
you like their software, enjoy it!, you paid for it, you have the right.
I am not an Anti-MS guy and I won't be anti-advocating MS.
> >If it's a virus that spreads trough email
> >then they must have been reel dumb to get infected,
>
> Sure, blame the victim. After somebody breaks into your house, do the
> police tell you that you're "reel dumb" not to have titanium plating
> over your windows?
Waita second, there is a difference between someone _breaking in_ to
your house and you _bringing in_ a virus into your comp. The only
exception of viruses that spread trough email that can get into your
comp without notice are those that used the activex vulnerability in
MSIE (See?, crap.).
> I don't blame victims of crime for being victimized. I blame the
> criminals for doing the victimization.
Ouch, you're right, Let's stick to the virusing thing. I was confused,
It was not related to criminology, it was related to security, victims
of accidents, nevermind, not related.
Bilge
>
>their system.
>
What do you call a program like microsofts regwhiz, that
extolled the virtues of signing up for maintainence and
the perused the disk contents? Forget about the replication
aspect since replication is only the means to achieve a
malicious result and isn't anything out of that context.
What about the recent bill that failed in house of representatives
(last fall/late summer -- I can find the bill number if need be
due to disbelief) where the us government intended to provide
tax incentives to companies that built in back doors to
encryption software provided they DID NOT tell the us citizens
that would be purchasing the product. Is that installing
code that acts maliciously on the part of the vendor? How
is that fundamentally differennt fron a mallicious virus,
other than I'd prefer the virus?
>
>Not in my mind. Viruses get into computer systems because people don't
>have adequate security procedures/systems to prevent the infection.
>Burglars get into houses because people don't have adequate security
>procedures/systems to prevent the break-in.
>
What do you call code that gets downloaded from a web page,
you know your're downloading it and it doesn't inform you
of ALL of it's functionality? Unless you have a real solid
legal requirement to impose across the board, let me suggest
that NO software or security tool will tell you what the
intent of the program is. If someone has no common sense,
the best protection in the world is useless. How much are
you willing to say is acceptable in hiding the functionality
of could downloaded as a java applet or ActiveX control
to cater to the coprorate insistence that they be
permitted to keep their software proprietary so that
you are effectively hindered from applying different
rules to othe maalicious code? Does unacceptable replication
count if it only happens in memory?
>
>I _was_ sticking to the "virusing" thing. I blame the virus
>writers/distributors for infecting computer systems. I don't blame
>victimized users because they didn't secure their computers
>sufficiently.
>
That wasn't an issue. The issue was punishing a person by not
allowing them access to viral code because some other people
have used viruses to infect people that don't pay attention.
You;ve turned the actual issue into a trite and obvious
statement about nothing of consequence. So, rather than
continuing to restate the obvious, if you don't think the
victim should be responsible for the actions of the
perpetraitor, how can you possibly penalize some that
isn't even involved by an aprori restraint on what programs
he may have? What ever you think about being punished
for one's own stupidity, being punished for the actions of
someone else, and for yet a second person's stupidity is
even more absurd.
PaX
holy crusader or anything like that. I just enjoy the tricky works of
VXers, because of the trickiness, It's like the more complex manuevers
you do when you play chess, but on a more real scenario, a PC.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
its ok to play the game,however the cost can be either a jail term for the
Author..or in the case of a doctor maybe the potential loss of a patient.
It all really depends on how high the price is you are happy to pay
Dalt
PaX
writers/distributors for infecting computer systems. I don't blame
victimized users because they didn't secure their computers
sufficiently.<<<<<<<<<<<<<<<<
a little wide ranging George,in general I generally hold the "hi i wanna
infect this bitch that....." type of persons for infections and not always
the author.I accept that a degree of responsibility must lay with the author
as If it hadnt been written it could not infect,but not all authors wish to
see their work used or abused hence the reason that a number of viruses that
are available never spread beyond the authors system or his close friends.
Admittedly when dave Smith did Melissa he openly admitted to allowing the
virus to become wild(legally admitted) and yet when Chen did CiH it was not
in fact him that released it into the wild but shared it with many people
one or more of which did.Ok I agree that Chen maybe chose his circle of
trusted people a little less well than he should have done.(dont anybody
bother flaming me for the understatement I am fully aware of what CiH has
done).
I personally feel that the "i wanna virus to F*** over blah blah " are the
persons most likely to cause damage.
Take for another example...Win2k.inta or Win2k.msi as 29a called it..
is it on the wild list?does anybody here other than VX or AV have it?
and yet tyhe number of copies around are quite high and it currently causes
little or NO threat to general users.
thats about all i got for now..=]
best wishes Dalt
Bilge
>
>house viruses. How likely they are to catch a virus is directly related
>to how much of a target they are for virus writers. Right now, Windows
Nonsense. An operating system which neglects to fully utilize
the protection built in the hardware is no where near as secure
as one that does. A multi user system, by necessicty cordons off
users. You simply cannot write to system files to infect them
without having the privilege level to do it. Window98 and 95
do not segregate processes. Windows NT put the video into the kernel.
>Please, let's not get into that debate here. It's off-topic for this
>newsgroup.
>
You say that as if you hadn't been the one to bring it as your
main point for using one. If you want to stay on topic that
badly, then stay on topic. Don't expect to make a point with
something off topic if you plan to be condescending about the
rebuttal being off topic. It's sort of built in to the nature
of your point.
>User-friendliness of software has nothing to do with its vulnerability
>to attack. Often, the most vulnerable software is the most easy to use.
It does if your concept of easy to use includes finding poor
security a necessity for something to be easy to use. Personally,
I find all of the froof a big pain in the ass, so easy-to-use is
obviously not the universal concept you seem to think. Since I
figured there was little chance of you figuring that out, I
simply didn't elaborate. I'll remedy that - The ingrained idea
of what constitutes easy-to-use as envisioned by microsoft
marketing promotes extremely poor security and lackadasical if
not outright hostility to the notion that security might
burden them with something as complex as remebering their
own passwords or not casually inserting a disk in a system
with anything they intend to keep. Sheesh. Any mail system
that blindly executes code from arbitrary senders is not
easy to use. It's an ill-conceived piece of crap that costs
a lot of mony to put on a facade of easy to use because people
are too stupid to realize that having to disinfect a few
hundred pc's detracts directectly from the ease of use.
Do you see microsoft telling people not to use activex?
Not hardly. I can see how people would be tempted to write
hostile activex controls for the same reason people find
it amusing to play the same practical joke on someone that
will fall for it over and over and never get any more snap.
I'm only surprised businesses haven't woken up to the fact
that they could probably pull off a class action against
microsoft for 15 years of negligence that's cost billions.
It's also a bit hard to see how one can purchase products from
and defend a company that has been found guilty of violating
us law and still has 140 more lawsuits pending against them
when this is done and then make any sort of credible statement
about the ethics of anyone else. It's like a theif treating
a burglar with disdain for being a criminal.
Bilge
>
>people don't know (and, for that matter, don't care) about viruses and
>computer security. They have more important things to worry about.
>
Ignorance only lasts until you know there's a problem. At that
point, failure to become informed is stupidity.
>I don't expect every computer user to be well versed in how to secure
>their system. I don't think other people should have that expectation
>either.
>
Then you shouldn't expect to ever secure a corporate network nor eliminate
viral infections. The users are the weak link. If they don't cooperate and
fire up an occasional brain cell, there is not much point in even wasting
time and money on an attempt.
>>Stupidity is obviously relevant/
>
>I think it's stupid to say that an ignorant person is "stupid".
Ignorance is being unaware. Stupidity is choosing to stay that way.
kurt wismer
> George Wenzel said some stuff about
>
> >Most people choose to use computer systems because they suit their needs
> >and are easy to use. This is why Windows and Mac are the two most
> >popular computing platforms.
> >
> It seems to me that a system which is prone to virus infection can
> hardly meet anyones needs
a system which is not prone to virus infection can hardly meet anyones
needs unless they're just interested in a simple calculator...
> >Viruses can exist for ANY sufficiently complex computer system. Making
> >a system less prone to viruses would also make it less user-friendly and
> >less functional.
> >
> Some are less virus prone than others by virtue of the practices
> that are encouraged.
now you're being absurd... some systems are more secure because people use
them more securely?
people could use microsoft systems securely, it is not the system that is
more secure it's the way people use it that is more secure... secure usage
can be applied to any system...
[snip]
> I don't call poorly written software which is prone to
> infection, user freindly. luser freindly maybe.
all 'software' is prone to infection...
kurt wismer
> kurt wismer said some stuff about
>
> >this is all well and fine... you realize, though, that you just moved the
> >goal post... this is not the definition you used before, and it doesn't
> >have the same meaning as the one you used before...
>
> Excuse me? If you really equate imposing restrictions on what others
> decide to do and not do with making a personal choice to do whatever
> you see fit with your own property, you missed an civics class.
are you feeling alright? you seem to be missing the point... you used a
definition... as a matter of courtesy others replied to you using your own
definition so that we could all be talking about the same thing and then
you changed your definition when it was made obvious that the first one
was wrong... don't blame *me* if the wrong words came out of your mouth...
kurt wismer
> kurt wismer said some stuff about
> >
> >ain't no such thing as 'less prone to viruses'... using less popular
> >systems has it's own set of problems, and if everyone did it then the
> >popularity rankings would change and virus writers would go after the new
> >platforms...
> >
> systems are designed to be used in certain ways. If the design
> makes it difficult to pracice security and encourages unconciousness
> then you end up with virus prone systems (This only includes
> NT, 98 and 95 are hopeless to secure).
security (true security) and ease of use are fairly mutually exclusive
ideas, security is always difficult to some extent...
> Aystem installs which
> overwrite libraries at will, require writing in tmp files in
> system sirectories by unprivileged users, are examples of complete
> disregard for any principle related to secure computing.
some systems are not multi-user systems... it doesn't make a lot of sense
to use a multi-user system when there is only one user, and to do so would
make the system more difficult to use...
> As far as
> 95 and 98 are concerned, those can still be hosed over a network
> with old, cheap attacks.
when they aren't secured, any system can be hosed over a network...
>Why would you think what is less visible
> get's more attention?
where'd this come from? it's popularity which determines how much
attention a system gets from virus writers, not visibility... and the
relationship is not one of inverse proportionality...
>Now go examine plan9. There is no account
> with superuser status. There is no way for an administrator to even
> read user files with dumping them to tape, so even during any
> maintainence, it will be virtually impossible to infect anything
> but your own files,
as the preponderance of macro virus infections in the wild indicates, only
being able to directly infect your own files does not necessarily limit
the spread of viruses...
it is the nature of networks that people share documents, it's how useful
work gets done...
> >> If people write viruses, vendors make money
> >> selling poor software and the people that purchase the software
> >> lose their asses, regardless of who is responsible, who is the
> >> idiot?
> >
> >the person who thinks idiocy is relevant, of course...
>
> You really want to state to the world that stupidity has no
> bearing on infection?
yes...
> As an example, I never put a floppy
> in my system that's ever been on another system. I throw
> them away.
that's pretty ridiculous...
> My brother laughed at that about one week before
> calling and asking how to disinfect his system after using
> some disks to move some files to one of freind's systems
> that I told him to toss. It think trading your hard drive
> contents to save $0.50 is pretty stupid. Stupidity
> is obviously relevant/
to the stupid, perhaps... not to viruses though... lack of knowledge of
anti-virus security != stupidity, ergo stupidity is not relevant to virus
infections...
by the way, why not simply perform an unconditional reformat of the
floppies? it is wasteful and unnecessary to toss them out...
Patricia A. Shaffer
wrote:
Or how high a price, in your supreme wisdom, you are willing to cause
others to pay ... since VX authors are so seldom caught, the innocent
people who lose data, time, and peace of mind when a virus chomps on
their files. It took me weeks to recover from a virus my son brought in
on a game of Rogue, way back in the '80's, before either of us ever got
online.
--
Patricia
Proud Citizen of the Commonwealth of Virginia
"Anti-spammers are the immune system of the Internet." (CDR M. Dobson)
"The spam wars are about rendering email useless for unsolicited
advertising before unsolicited advertising renders email useless
for communication."(Walter Dnes/Jeff Wynn) Opt-out is cop-out! <http://www.cauce.org>
Evelyn
because if children didn't go to him for their drugs they would go to
someone else who polluted the stuff.
Sure a virus can't kill but surely a bit of imagination will tell you that
not all users are rich corporations who will twirl their moustaches and say
'Hah, that fooled me'
This is going to sound a bit wet but 8 years ago I was diagnosed with a rare
form of myopathy, a slow muscle-wasting illness. The first area to go was
my right thumb so I couldn't write properly. I learnt left-handed but it was
very slow. My father bought me a computer and I was delighted to find that
I could type with it. When I discovered the Internet, my world, which was
beginning to shrink, opened up again and I was able to learn and be useful.
There is no way I could ever afford another PC if this one was broken by a
virus or anything else. I would just have to do without. It is only
through this group that I learnt how to try and protect myself from the
threat of a virus and perhaps,even recover if I get one. I didn't even
understand what a virus was before. No one is born knowing this.
I am by no means the only user who has had their life improved by this
technology. I personally know 2 disabled users, far worse off than I. One
is desperately trying to keep his Windows 3.1 going a few years longer so
that it will outlive him. He has thousands of friends world-wide who he
contacts by email.
My friend, Bob, was dismissed as stupid at school because he was actually
profoundly deaf. Now, at 87, his self-esteem has rocketed because he has
learnt how to use a computer and he proudly sends me emails telling me about
what he has learnt. He saved up because he doesn't go on holidays or drink.
Some people are disabled in another way - they can be painfully shy and find
that meeting people through newsgroups is a wonderful way to socialise.
My children have a priceless advantage when they study because so much
information is available- not all schools can afford decent IT compartments
and not all of them have an on-site-expert who can help them if their system
is infected.
Love
Ev
"9bit" <%0D%0...@tecel.net.ve> wrote in message
> That's what I am asking for, Tell me what's the worst thing a virus
> has done. Again, ignoring well deserved victims.
>
> > They force people to spend money on anti-virus
> > products, which would be unnecessary if viruses didn't exist.
>
> No, this makes money go back and forth, this indirectly helps economy.
> I am reading very complex papers about this right now, if they're good
> enough, they might be published within a few months.
>
> > They
> > require people to stop their everyday work so that they can remove
> the
> > virus infecting their system.
>
> A virus at work? How did it get in to start with? How did it stay in
> to continue with?
>
> > They cause people to lose business
> > relationships because they mistakenly send a virus to the associate.
>
> Sending a virus to the associate? How?
>
> If they trade warez with the associate they deserved it. If they
> manufacture and sell software and it got infected they must be very
> cheap progmen to start with. If it's a virus that spreads trough email
> then they must have been reel dumb to get infected, and if they
> noticed symptoms of a non stealthy virus and they didn't mind to get
> it cleaned they also deserved to be executed under negligence charges.
>
> > The list goes on and on. Something doesn't have to kill people to
> be a
> > "bad thing".
>
9bit
I don't mind if David writes Mellisa, Jeniffer, Sharon and Lisa, no
preblem with me. But HE personally went arround spreading Mellisa (or so
they say), thats the point. Funny thing is that Mellisa is a case in
wich it would be in place to blame the user, because when you open it
MSWord gives a very explicit warning and ASKS the user to disable macros
if it didn't come from a trustworthy source, even more, macro virii come
with their source code (they are their scode) and the user can even look
at it to see what it does before running it. In the case of Mellisa,
even the most ignorant user can tell because David Smith was kind enough
to include comments.
Oh, again, I am NOT defending David, It's just a comment, somewhat
offtopic because it's a specific case.
9bit
> > That wasn't an issue. The issue was punishing a person by not
> > allowing them access to viral code because some other people
> > have used viruses to infect people that don't pay attention.
>
> person being "punished" by being denied access to viral code?
>
> I have a friend that works at the local university; he's a
> microbiologist. He works with _real_ viruses (primarily Herpes). Is
> the public being "punished" because he doesn't give out virus samples to
> anybody who asks for them? Of course not.
Well, George, Tomorow I'll infect your comp with a virus. Scared? Of
course not. What can I do to infect your comp? I can't just put a virus
in the air and order it to infect you, at best I can mail you a virus
and see If you open it (I wont). But, imagine you wake up and get outa
yer house and you find a tuna can in front of your door, you eat it? If
you do, who is to be blamed if it was poisoned? And I dont mean who's
responsible for the can having poison, I mean who's responsible for
someone feeling sick after the events.
Real thing virii can simply be released in the air (some) and their
targets won't be able to delete them from their inbox.
Cyclone
lengthy (or any for that matter) posts recently.
kurt wismer wrote:
> > True, but then those people are breaking the rules twice - when they
> > spread it, and when they download it. Thus, in some sense, the site is a
> > tertiary source.
>
> yes, they break rules, all the more reason why those rules should be
> enforced...
I agree. They should.
The problem with your logic there is that, as long as the code is not
being spread maliciously, the person who downloaded them is acting
according to the wishes of the web site. Thus, the people to catch are
the malicious spreaders.
> > No they are not reliable, but neither is smell, if someone's wearing a
> > strong perfume or cologne.
>
> i gather you're not all that familiar with alcoholics... booze and cologne
> do not smell alike...
Well true, I'm not much of a drinker, but would a strong after-shave be a
better example?
Besides, some of those "fragrences" people wear smell worse then a day
old roadkill skunk. Since some of them smell SO bad, my highest priority
is getting those people away from me ASAP, rather than seeing if
underneath the stench they have liquor breath.
> > And, of course, if they claim that they
> > walked to the store from a party, they could persuade the clerk to sell
> > anyways.
>
> i think you miss the point... they aren't supposed to sell to drunks
> whether the drunks drove there, walked there, crawled there, or were
> carried on flying pink elephants...
Since when? Again, I'm not drunk very often, so I can't say I've ever
tried to buy alcohol in that condition, but all I see in the liquor store
is an "above 18" sign - no ".8 blood alcohol" sign.
> > One can always lie - but then whose fault are the consequences?
> > (not the person who was lied to IMO)
>
> not if they took reasonable measures, but the people who put up vx
> websites generally take no measures to enforce their rules...
That could be because as long nothing illegal is being done with the
viruses, the vX sites have nothing to complain about. When something
illegal is done with the viruses, then that's a matter for the police -
not the vX site. Then the site can help out with logs and stuff.
Just like a liquor store attendant can't escort you home, neither can a
vX webmaster.
> i fully recognize why it makes them feel good, i just don't see what
> making someone you don't know that well feel good has to do with
> anything... you can help them in other ways, you can help them gain
> competence in other ways, you can help them earn your trust by pointing
> them in the right contructive direction... and by doing so you can help
> the person gain trust of others aswell, because they learn what it takes
> to be trustworthy... s/he becomes a better person...
So standing 2 hours in line in a government building waiting for the
opporunity to fill out a form so you could stand another 3 hours in
another line for some license or other, is then, by the same token, also
making you a better person for which you should be grateful, right?
Personally, I find it impersonal, cold, disheartening, and
disillusioning.
It just doesn't seem like the most pleasnt way of doing things. Sure, if
you have good intentions you pass the tests, and eventually get what you
want. But if it doesn't ruin your day, it's a miracle. And when you
boil down society as to why we all put up with cities and everything
else, it's to have a better, happier life.
Please don't underplay the importance of at least occasionally making a
stranger feel good or welcome.
> getting hurt... helping is good, but helping in the most simplistic means
> available is not always the most appropriate or helpful thing to do...
And you standard responces of "go away" are better?
> > They also don't write down names of customers so that potentially later
> > they could give the list to police after a DUI incident. Which is what
> > the "passwords, encryption, etc, etc" you suggest is.
>
> no it isn't... i'm talking about encrypting the samples and only giving
> select people the decryption key... similar thing with the passwords...
That's my point.
A liquor store does not get your ID, cross refernce it with people they
are ALLOWED to sell alcohol to (not to be confused with people that are
NOT allowed to get alcohol), and only then hand over the goods.
What you're proposing for viruses is just that - and yet you admit that,
although more localized, damage from alcohol can be much greater than
that of viruses.
> if you continued reading a little further you'd have noticed that i
> explained "due care"... the dealership only has to take due care that the
> car doesn't break down under reasonable usage circumstances...
You apply "reasonable usage circumstances" to a car long enough and it
will break down.
> > They don't check if you have a license, if I remember correctly.
>
> you mean they let unlicenced drivers test drive vehicles? that's a lawsuit
> waiting to happen...
I don't recollect a test drive being mandatory for the purchase of an
automobile either.
> > > web of trust doesn't work for centralized or semi-centralized
> > > distribution... though i imagine back in the days of prohibition webs of
> > > trust could have helped rum runners stay out of jail...
> >
> > So someone should never shop for booze, outside of the one store that
> > knows him?
>
> ??? huh? how did you arrive at this?
Well, imagine you moved from Toronto to say Vancouver. You wouldn't know
any of the stores there, thus the stores couldn't trust you enough to
sell anything to you, right? This, of course, makes the reasonable
assumption that one cities liquor stores are blisfully ignorant of the
"trustwebs" built up in other cities.
> > And if recommendations were allowed from other stores to
> > bypass the problem, then I think we can both see that trafficing in
> > recommendations would lead to a reevaluation of the system, which would
> > most likely lead to a complete crack-down on booze/viruses.
>
> faulty logic... booze is distributed in a rather centralized manner,
> viruses are not (at least not if you want to do it securely - you can't
> really know hundreds of people well enough to trust them all)...
...and yet which is more dangerous in the wrong hands?
Under the same logic, shouldn't booze be distributed in a similar trusted
web scheme too, instead of the centralized scheme? Naturally, the
quantity of people wanting booze is too great for this. Does that mean,
however, that if 50% of the planet suddenly started collecting viruses,
that a centralized scheme would become ok too? So, that brings up the
question, should the quantity of people interested in something be the
deciding factor in how accesible something is?
> > I think the stats are skewed a bit due to New York, LA, Phillidephia, etc
> > - at least partly.
>
> what about toronto, montreal, or vancouver? it's the extreme places that
> show the differences best...
There are parts in Toronto I'd rather not venture into at night either.
Don't forget that places like New York and LA, are 3 times larger than
Toronto - you'd expect it to be a little worse.
> > By looking at the code and judging it yourself, ultimately.
> > Recommendations which code to look at doesn't hurt. If you know how to
> > program though, bugs are not too hard to spot when looking at code.
>
> you're putting the cart before the horse here... someone who is just
> learning doesn't know how to program yet, at least not well, not in that
> language...
>
> yes, recommendations do help... and i'd recommend something other than
> virus source code to someone trying to learn asm... ideally some forum
> where they can get feedback from experts...
Pardon? When did I suggest that learning from source should be done by
people who don't have a clue of the differnce between a .c, .asm, exe
file? The people which are likely to gain insight are only those who are
competant at the language in which the virus sample they're looking at is
written in! I never said anything to the contrary.
Since I assume some knowlege of the language, it's not unreasonable to
assume that a person can judge good code from bad, and/or is unable to
find bugs.
Viruses are, of course, not the thing to learn ASM by. They can only
serve to gain further insight if you already know the basics. To treat
them as something complete newbies learn how to program from is silly.
> > Most of the malicious spreaders are too
> > lazy/stupid to compile them!
>
> maybe... maybe not... the ones who put their hands up and say "here i am,
> gimme a bad-ass virus" are probably not to bright in general but the
> people who put their hands up and say anything are the minority in usenet
> or most other forums...
Most probably there are a few of those out there. I don't estimate it's
a very large number however. Afterall, with most spreader, it seems they
think: why should they put in the extra effort, if they can be spoon
fed.
> > True - Not obliged to give you anything.
> > If you choose to give something to someone however, you should be free to
> > do so, providing that you are not knowingly helping that particular
> > individual do something bad.
>
> and providing you take due care to avoid helping an unknown bad person...
So this "unknown person" does not have a right to annonymity, and must
give up all his secrets (to make sure they are not the "unknown bad
person").
And so we come full circle - sometimes (usually) one has to assume that
the person is an "unknown good person" until proven otherwise. (and to
counter your rebuttal that a website still serves even the "proven
otherwise" - to that I say, take away the computers from the inmates!
[since those are the "known bad people"])
> > > and if you want to get down to the brass tacks, the cost of freedom is
> > > eternal vigilance... i'd like to see people pay for what they use...
> >
> > Did I ever say word one about not catching the people who spread viruses
> > maliciously? I don't think so! Infact, I said quite the opposite -
> > catch them INSTEAD of the vX sites.
>
> you misunderstand... the vx sites want freedom, they should pay the
> price for that freedom...
They do. It's called a service fee to be on the net.
Since the sites are not doing anything wrong, I don't see why they should
be paying for more than that - as you seem to be implying.
Evelyn
"Evelyn" <eve...@woolston.greatxscape.net> wrote in message
<lots of mushy stuff snipped>
Ugh! I can almost hear the violins playing! Sorry about that group. PMT.
Love
Ev
kurt wismer
> But, how can you discriminate the "good" type from the "hostile" type?
>
> I don't mind if David writes Mellisa, Jeniffer, Sharon and Lisa, no
> preblem with me. But HE personally went arround spreading Mellisa (or so
> they say), thats the point. Funny thing is that Mellisa is a case in
> wich it would be in place to blame the user, because when you open it
> MSWord gives a very explicit warning and ASKS the user to disable macros
the warning only pops up if that particular security feature is enabled in
word97... and documents with macros are not uncommon in some settings...
> if it didn't come from a trustworthy source, even more, macro virii come
melissa generally came from trustworthy sources though... people whose
names are in your addressbook are generally people you communicate with
regularly...
at least they were trustworthy enough for those who didn't know any better
(which would have been 99+% of the population at the time)...
> with their source code (they are their scode) and the user can even look
> at it to see what it does before running it. In the case of Mellisa,
> even the most ignorant user can tell because David Smith was kind enough
> to include comments.
since when can the most ignorant users make sense out of or even know to
look at virus source code?
Bart Bailey
> On Sat, 22 Apr 2000 10:50:45 -0700, Bart Bailey <nos...@all.thanks>
> wrote:
>
> >Dr Costas Giannakenas MD wrote:
> >
> >> On Fri, 21 Apr 2000 02:10:40 -0400, "9bit" <%0D%0...@tecel.net.ve>
> >> wrote:
> >>
> >> >Excuse me ya'all, But I know of nobody that has died for misuse of a
> >> >compiler, so what makes this virusing thing so tragic to some people?
> >> >
> >> It is possible. Most hospitals have automated many monitoring and
> >> other devices and theses are sometimes linked to the various
> >> departments via network. This permits attending physicians to have
> >> immediate access to various medical devices that are often controlled
> >> or accessed by being linked to normal PCs.
> >
> >Unlike some bio-viruses, cyber-viruses don't have an airborne vector.
> >Putting some air between mission critical systems and any possible sources
> >of contamination should work fine. IOW don't expose your sensitive
> >databases to the internet or the capricious activities of untrusted
> >individuals. I've read your harangue against VXers before and the risks to
> >your cancer research and wondered how someone with your demonstrated
> >intelligence and responsibility would ever jeopardize such valued data by
> >exposing it to malicious code. You don't surf the 29a site from work do
> >you? ;-)
> >
>
> Bart,
>
> My "harangue against VXers"? Actually it was me who caught the flak
> recently when I didn't follow the trend of VX-bashing :-) I do NOT
> approve of people abusing their knowledge for any form of malignant
> actions. But I do not think that VXers are a bunch of evil, twisted,
> psychotic etc, etc geeks without a life. There are those with an
> imaginary or not chip on their shoulder who seek to do harm but I
> personally believe that most of them expriment in coding viruses
> without actually spreading them. I may be wrong but this is my
> personal opinion so I guess I am entitled to it :-)
I tend to agree with your assessments of the VX community in that there is a
only lesser subset that actually feels the need for control or recognition
enough to wantonly disperse their creations. However, with the growth of a
cyber oriented populace, that "percentage" of malcontents could remain stable
yet their numbers would increase.
> You are correct in assuming that I do not jeopardize any valued data
> (or any other data for that matter) by exposing it to possible if
> improbable attack. However, there are ways of getting possible access
> to the systems in question if one is really determined to do so *if*
> this determination is backed up by the neccessary know-how. I mean,
> look at the way hackers have managed to intrude on the bastions of
> network security (or at least the assumed bastions) such as the
> Pentagon. If they can hack those systems then hospitals, research
> centers etc etc are a relatively small challenge for their expertise.
"Never say never" goes the aphorism, but I doubt an altruistically oriented
organization such as a hospital or health research center would have the same
lure as an ostensibly belligerent one like the Pentagon. In the case of the FBI
ddos shutdown, that was only a cosmetic site unrelated to their internal
activities, the recent "accidental" loss of a laptop has caused them more
insomnia.
> Anyway, as this was originally about virus (etc) infections, I will
> just say that **it can happen at any time.
>
> Try this : using a disk/ZIPdisk etc to backup or transfer data from a
> (non-networked for safety) system to another. Damn! The disk had a
> boot or other virus and there goes the "safe" system.
Not to be argumentative, but this could only happen in a compromised
circumstance.
> Cause of the
> disaster can be called human error but with new viruses, droppers,
> worms etc emerging every day (and becoming detectable some days/weeks
> later) who can blame the user? The root of the problem is therefore
> the very existance or rather the deliberate spread of viruses - this
> does not contradict my (personal) opinion as stated above :-) Writing
> is different to deliberate spreading.
Yep, proof of concept vs. proof of contempt.
> Prevention IS the best therapy but who can foresee what new clone,
> strain etc someone may construct?
All the more reason to remain vigilant with sensitive systems.
> You mentioned bio-viruses as being different and they are. But as for
> their behaviour in the environment there is more of a similarity than
> a difference. Both bio and coded viruses can mutate, get cloned, can
> transform etc.
I still maintain that "air" will effectively shield against cyber-viruses.
> And most important, in both cases we can only hope to
> become aware of them (detect and identify them) before they cause
> irreversible damage. Taking the required precautions is important but
> these are not always enough :-(
>
> Regards,
>
> Costas
>
> ==========================
> Costas Giannakenas MD, PhD
> ==========================
Your well written response is appreciated and I don't mean to appear sarcastic
in reply, I worked in a technical field [communications troubleshooting] until
retirement and political diplomacy is a luxury that I'm only recently learning.
Bart Bailey
> <~~~>
> Criminology?, Then I'm sure you would agree with me that almost
> allways victims could have easily prevented whatever they are victims
> of just by taking basic prevention measures.
To play devils advocate for a moment, what about the subway victims of the
Falun Gong attack?
Bart Bailey
<~~~>
> I personally feel that the "i wanna virus to F*** over blah blah " are the
> persons most likely to cause damage.
Not me, I'm just a curious newbie to this phenomenon.
> Take for another example...Win2k.inta or Win2k.msi as 29a called it..
> is it on the wild list?does anybody here other than VX or AV have it?
I DLed it from some site,don't recall which, over a month ago, and in a somewhat
related response to your claim regarding the Coderz policy, I recall obtaining
several variants of krilie and toady from one of their linked sites.
> and yet tyhe number of copies around are quite high and it currently causes
> little or NO threat to general users.
My guess is that somethimg that infects an install app for a new OS would have
to be present at installation, All my friends who have tried NT5 have started
from a format rather than an "on top of" upgrade so aren't vulnerable, do they
represent general users? don't know.
PaX
somewhat
related response to your claim regarding the Coderz policy, I recall
obtaining
several variants of krilie and toady from one of their linked
sites.<<<<<<<<<<<
The original binary downloads from Coderz were links to SoK.jp as I
remember.Evul has little or no control over what is hosted and linked on
sites.JP was a tribute site to our days at the original Source Of Kaos when
it was "requested" to be removed by a federal agency.As I stated before
Coderz policy is not to host binaries but im sure Evul /John can explain
this better than I.
>>>>>My guess is that somethimg that infects an install app for a new OS
would have
to be present at installation, All my friends who have tried NT5 have
started
from a format rather than an "on top of" upgrade so aren't vulnerable, do
they
represent general users? don't know.<<<<<<<<<<<<<<<<<<<<<<<<<,
As I understand it is also 29a's policy not to spread viruses as their
members are all acomplished programmers and most are "old school" anyways.
Put it this way you wont find many Idiots getting membership.
(D forgive my intrusion into 29a buisness)
Best wishes Dalt
kurt wismer
> Sorry for the delay. Real life responsibilities forced me to not write
> lengthy (or any for that matter) posts recently.
>
> kurt wismer wrote:
[snip]
> > yes, they break rules, all the more reason why those rules should be
> > enforced...
>
> I agree. They should.
> The problem with your logic there is that, as long as the code is not
> being spread maliciously, the person who downloaded them is acting
> according to the wishes of the web site.
this is not a problem with my logic... i'm proposing preventative
measures, while you seem to think it's enough to "play catch up" (to
borror a phrase)...
> Thus, the people to catch are
> the malicious spreaders.
obviously those are the people to *catch* but those aren't the only people
contributing to the problem...
realistically, we will never be able to catch all the spreaders, if we get
all the current spreaders then more will spring up in their
place... obviously then simply catching them isn't going to be very
effective...
> > > No they are not reliable, but neither is smell, if someone's wearing a
> > > strong perfume or cologne.
> >
> > i gather you're not all that familiar with alcoholics... booze and cologne
> > do not smell alike...
>
> Well true, I'm not much of a drinker, but would a strong after-shave be a
> better example?
i don't think so, no...
> Besides, some of those "fragrences" people wear smell worse then a day
> old roadkill skunk. Since some of them smell SO bad, my highest priority
> is getting those people away from me ASAP, rather than seeing if
> underneath the stench they have liquor breath.
then don't get a job in a liquor store...
> > > And, of course, if they claim that they
> > > walked to the store from a party, they could persuade the clerk to sell
> > > anyways.
> >
> > i think you miss the point... they aren't supposed to sell to drunks
> > whether the drunks drove there, walked there, crawled there, or were
> > carried on flying pink elephants...
>
> Since when? Again, I'm not drunk very often, so I can't say I've ever
> tried to buy alcohol in that condition, but all I see in the liquor store
> is an "above 18" sign - no ".8 blood alcohol" sign.
i don't know when it started, i just know that's the policy up
here... they even mention it in their commercials and cite it as
"acting responsibly" (on their part)...
> > > One can always lie - but then whose fault are the consequences?
> > > (not the person who was lied to IMO)
> >
> > not if they took reasonable measures, but the people who put up vx
> > websites generally take no measures to enforce their rules...
>
> That could be because as long nothing illegal is being done with the
> viruses, the vX sites have nothing to complain about.
lets face reality here, the people who put up the websites don't follow
up, they don't check if something bad was done with a virus from their
site... from a practical standpoint they turn a blind eye, they don't show
any signs of really caring that nothing illegal was done... the
disclaimers are hollow and without any real meaning except as a lame
attempt to cover their own arses (which all disclaimers are, really)...
> When something
> illegal is done with the viruses, then that's a matter for the police -
> not the vX site. Then the site can help out with logs and stuff.
point of fact, your logs will be next to useless... the police have to
prove that a virus that infected someone came from the spreader, the fact
that the spreader had the virus at one point prior to the illegal
infection is purely circumstantial... it's logs on the victim's system or
logs on the isp from which the spreader spread the virus publicly that are
important...
> Just like a liquor store attendant can't escort you home, neither can a
> vX webmaster.
a liquor store attendant can refuse your request for service, and so can a
vx webmaster...
> > i fully recognize why it makes them feel good, i just don't see what
> > making someone you don't know that well feel good has to do with
> > anything... you can help them in other ways, you can help them gain
> > competence in other ways, you can help them earn your trust by pointing
> > them in the right contructive direction... and by doing so you can help
> > the person gain trust of others aswell, because they learn what it takes
> > to be trustworthy... s/he becomes a better person...
>
> So standing 2 hours in line in a government building waiting for the
> opporunity to fill out a form so you could stand another 3 hours in
> another line for some license or other, is then, by the same token, also
> making you a better person for which you should be grateful, right?
waiting in line is not comparable to learning what it takes to become
competent and trustworthy...
> Personally, I find it impersonal, cold, disheartening, and
> disillusioning.
waiting in line is, sure... giving people constructive advice on a
one-on-one basis is anything but...
> It just doesn't seem like the most pleasnt way of doing things.
then please recognize that it *isn't* the way i'm suggesting things be
done...
[snip]
> Please don't underplay the importance of at least occasionally making a
> stranger feel good or welcome.
there is a time and place for everything...
> > getting hurt... helping is good, but helping in the most simplistic means
> > available is not always the most appropriate or helpful thing to do...
>
> And you standard responces of "go away" are better?
my standard responce is not "go away"... my standard responce informs the
recipient of how their actions can contribute to problem of virus
spreading... in the beginning i left the process of coming up with an
alternative method of operation up to them but sufficient numbers seemed
to be misinterpreting my intent so it has been revised to include what i
think is a more responsible model of virus sample aquisition...
> > > They also don't write down names of customers so that potentially later
> > > they could give the list to police after a DUI incident. Which is what
> > > the "passwords, encryption, etc, etc" you suggest is.
> >
> > no it isn't... i'm talking about encrypting the samples and only giving
> > select people the decryption key... similar thing with the passwords...
>
> That's my point.
> A liquor store does not get your ID, cross refernce it with people they
> are ALLOWED to sell alcohol to
i think you're confused... that's exactly what they do... if the id
doesn't indicate you're in the *allowed* group (the people over 18) then
you don't get any...
> (not to be confused with people that are
> NOT allowed to get alcohol), and only then hand over the goods.
> What you're proposing for viruses is just that
what i propose for viruses is *NOT* significantly different than what is
already done for alcohol...
in both systems the suitability of the person asking for the thing is
judged before they are given the thing they asked for... being helpful to
those whom you initially refuse is above and beyond this system and is
something i'm suggesting for those who don't want to 'ruin peoples
days'...
> > if you continued reading a little further you'd have noticed that i
> > explained "due care"... the dealership only has to take due care that the
> > car doesn't break down under reasonable usage circumstances...
>
> You apply "reasonable usage circumstances" to a car long enough and it
> will break down.
reasonable usage circumstances recognize that mechanical wear and tear
occurs and that machines have a finite usable life span...
> > > They don't check if you have a license, if I remember correctly.
> >
> > you mean they let unlicenced drivers test drive vehicles? that's a lawsuit
> > waiting to happen...
>
> I don't recollect a test drive being mandatory for the purchase of an
> automobile either.
it's not, but registration is...
> > > > web of trust doesn't work for centralized or semi-centralized
> > > > distribution... though i imagine back in the days of prohibition webs of
> > > > trust could have helped rum runners stay out of jail...
> > >
> > > So someone should never shop for booze, outside of the one store that
> > > knows him?
> >
> > ??? huh? how did you arrive at this?
>
> Well, imagine you moved from Toronto to say Vancouver. You wouldn't know
> any of the stores there, thus the stores couldn't trust you enough to
> sell anything to you, right?
sigh... you're confused again... *stores* represent fairly centralized
distribution of goods - my web of trust model is, as it's name suggests,
not centralized - it's a network of people... ergo it doesn't work for
stores... it works for crooks though...
[snip]
> > > And if recommendations were allowed from other stores to
> > > bypass the problem, then I think we can both see that trafficing in
> > > recommendations would lead to a reevaluation of the system, which would
> > > most likely lead to a complete crack-down on booze/viruses.
> >
> > faulty logic... booze is distributed in a rather centralized manner,
> > viruses are not (at least not if you want to do it securely - you can't
> > really know hundreds of people well enough to trust them all)...
>
> ...and yet which is more dangerous in the wrong hands?
booze, *BUT* determining whose hands are the wrong hands with booze is
significantly easier to do and does not rely on trusting the owner of
those hands...
with viruses, trusting the owner of those hands is all you've got...
> Under the same logic, shouldn't booze be distributed in a similar trusted
> web scheme too, instead of the centralized scheme?
no, as i said above (and in a message further back in the thread) it is
easier to determine who can buy booze than it is to determine who won't
spread viruses... first hand inspection of the customer and his/her id is
the most that's required for selling booze...
> Naturally, the
> quantity of people wanting booze is too great for this. Does that mean,
> however, that if 50% of the planet suddenly started collecting viruses,
> that a centralized scheme would become ok too?
no... it is not the number of people who want it that makes it ok...
> So, that brings up the
> question, should the quantity of people interested in something be the
> deciding factor in how accesible something is?
no, it should not...
> > > I think the stats are skewed a bit due to New York, LA, Phillidephia, etc
> > > - at least partly.
> >
> > what about toronto, montreal, or vancouver? it's the extreme places that
> > show the differences best...
>
> There are parts in Toronto I'd rather not venture into at night either.
> Don't forget that places like New York and LA, are 3 times larger than
> Toronto - you'd expect it to be a little worse.
a little? before the amalgamation the absolute number of homicides was
~65 annually (in a city of over 2 million)...
maybe it's because i'm an disadvantaged inner city kid, but theres no part
of toronto that intimidates me...
> > > By looking at the code and judging it yourself, ultimately.
> > > Recommendations which code to look at doesn't hurt. If you know how to
> > > program though, bugs are not too hard to spot when looking at code.
> >
> > you're putting the cart before the horse here... someone who is just
> > learning doesn't know how to program yet, at least not well, not in that
> > language...
> >
> > yes, recommendations do help... and i'd recommend something other than
> > virus source code to someone trying to learn asm... ideally some forum
> > where they can get feedback from experts...
>
> Pardon? When did I suggest that learning from source should be done by
> people who don't have a clue of the differnce between a .c, .asm, exe
> file? The people which are likely to gain insight are only those who are
> competant at the language in which the virus sample they're looking at is
> written in! I never said anything to the contrary.
if they're already competent then they aren't really learning much from
the virus... at least, not about programming...
> Since I assume some knowlege of the language, it's not unreasonable to
> assume that a person can judge good code from bad, and/or is unable to
> find bugs.
that's quite an assumption... definitely not one i'd make... if all it
took was some knowledge of the language people would be able to recognize
their own code as good or bad...
> Viruses are, of course, not the thing to learn ASM by. They can only
> serve to gain further insight if you already know the basics. To treat
> them as something complete newbies learn how to program from is silly.
then we agree...
> > > Most of the malicious spreaders are too
> > > lazy/stupid to compile them!
> >
> > maybe... maybe not... the ones who put their hands up and say "here i am,
> > gimme a bad-ass virus" are probably not to bright in general but the
> > people who put their hands up and say anything are the minority in usenet
> > or most other forums...
>
> Most probably there are a few of those out there. I don't estimate it's
> a very large number however. Afterall, with most spreader, it seems they
> think: why should they put in the extra effort, if they can be spoon
> fed.
really? and how many spreaders do you know?
> > > True - Not obliged to give you anything.
> > > If you choose to give something to someone however, you should be free to
> > > do so, providing that you are not knowingly helping that particular
> > > individual do something bad.
> >
> > and providing you take due care to avoid helping an unknown bad person...
>
> So this "unknown person" does not have a right to annonymity, and must
> give up all his secrets (to make sure they are not the "unknown bad
> person").
please... don't put words in my mouth... i now you and you're still
anonymous...
> And so we come full circle - sometimes (usually) one has to assume that
> the person is an "unknown good person" until proven otherwise.
that may be the way you see things, but in practice that's rather
irresponsible to assume such without basis...
> (and to
> counter your rebuttal that a website still serves even the "proven
> otherwise" - to that I say, take away the computers from the inmates!
> [since those are the "known bad people"])
they aren't the only "known bad people"... is spanska in jail? no... does
spanska spread viruses? yes... does one have to be a virus writer to be
able to spread viruses without getting caught? no...
> > > > and if you want to get down to the brass tacks, the cost of freedom is
> > > > eternal vigilance... i'd like to see people pay for what they use...
> > >
> > > Did I ever say word one about not catching the people who spread viruses
> > > maliciously? I don't think so! Infact, I said quite the opposite -
> > > catch them INSTEAD of the vX sites.
> >
> > you misunderstand... the vx sites want freedom, they should pay the
> > price for that freedom...
>
> They do. It's called a service fee to be on the net.
wrong fee... the price of freedom is eternal vigilance... *THAT* is what
you must pay for your freedom...
> Since the sites are not doing anything wrong, I don't see why they should
> be paying for more than that - as you seem to be implying.
it is the cost of freedom... it is not unheard of that people unwilling to
pay for things they use have those things taken away from them... it is
not inconceivable that if the vx does not self-regulate that they will be
regulated by they authorities...
which would you prefer? i'd prefer the former, myself... i don't think we
need any more regulation..
--
"i'm gonna break,
i'm gonna break my,
i'm gonna break my rusty cage,
and run"
9bit
pretty confussive, sorry for that, I was confused in that moment. I didn't
refer to crime victims but to accident victims (or rather, protagonists). I
couldn't ever make such a claim since I myself feel so vulnerable and
defenseless against crime that I have been trying to put a 1 inch thick
steel plate inside my car's driver seat. Oh, yeah, and I _don't_ think
that's basic prevention, that's rather paranoia but, I think aditional
safety is never out of place.
Before this leads to any comments, I don't really live in a bunker or ask
everyone for his/her ID before meeting him, or wear a bulletproof suit or
anithing like that, it's just that I happen to travel trough somewhat
dangerous places, situation that, of course, I avoid as much as possible.
Please don't comment.....
"Dr Costas Giannakenas MD" <cos...@privacy.net> wrote in message
news:c7ufgs48nc461uj8d...@4ax.com...
> I assume that you are referring to the Tokyo subway so.....
>
> AAAAARGH! It was the Japan's secretive Aum Shinrikyo sect that was
> responsible and not the (Chinese) Falun Gong (who are not at all
> militant, aggressive etc AFAIK) :-)
9bit
news:Pine.SOL.4.21.000426...@eddie.cdf...
> the warning only pops up if that particular security feature is enabled in
> word97... and documents with macros are not uncommon in some settings...
Yes, right, default settings will give you the warning. If you're so dumb to
disable this feature by accident you must probably have formatted your HD by
accident a few times allready ('k maybe not so much, but you know what I
mean). You need a drivers license to drive, to get it you need to prove you
can drive, to use a comp, you don't. This wont change. Why? because comerce
benefits from idiots and because those idiots can't kill their costumers for
using a computer in the dumbest way possible.
> melissa generally came from trustworthy sources though... people whose
> names are in your addressbook are generally people you communicate with
> regularly...
>
> at least they were trustworthy enough for those who didn't know any better
> (which would have been 99+% of the population at the time)...
Freddy sent me a file, he's my friend, my friends can't have a virus, right?
My friends haven't ever had a virus, right? How could any of Fred's files
have a virus? How could any file he downloaded from our virus-free net be
infected? Hmmm... Not dumb?
> since when can the most ignorant users make sense out of or even know to
> look at virus source code?
Word macros, they are silly vb scripts, but Melissa even had COMMENTS,
comment lines. I don't remember exactly what they said but they said it was
a virus. I believe you have the source, if not I can post the comment lines.
Since you are very smart and know so much about computers I assume you know
what comments are. But even if you don't, if you look at Melissa's source,
you'll note some lines that say it is a virus (in human lang, not in vb).
Ok, enough with Melissa, David got caught and, to the eyes of the law, he's
the only guilty one. And you know what? Even tough I don't agree with that,
I don't care. Because what happens to him wont affect me. But putting him in
jail wont make Melissa's victims any safer. Sending Melissa's victims to
comp school would make everyone safer. Disagree with this!
Questions (reel ones): How can you know if I want a virus to infect someone
or if I just want it for my collection? How can you know if I want a virus
source to examine it or to compile it and infect someone? Why do you want
people to be AVers or Vxers to have access to a virus' source?
I think if you give everyone info on the workings of virii people would stop
asking if image.jpg is infected or if it would be safe to connect to the net
knowing that Josh is infected and is connected, in fact, I bet many would
stop being infected in reel stupid ways. I once heard someone say that to
immunize her comp against a virus she would get a virus from an infected
disk and runit in her comp so that the AVsoftware will detect it and
inmunize her comp against it.
Joke: Is there a virus that changes all "." for "..." and impairs the user
from using caps?
Cyclone
> this is not a problem with my logic... i'm proposing preventative
> measures, while you seem to think it's enough to "play catch up" (to
> borror a phrase)...
:)
Well, until we have a reliable method of reading peoples minds, that's
all we have. And like it or not, that's all that law enforcement is, and
IHMO is supposed to be.
> realistically, we will never be able to catch all the spreaders, if we get
> all the current spreaders then more will spring up in their
> place... obviously then simply catching them isn't going to be very
> effective...
Careful Kurt. You're on the verge of proposing a system that has failed
everywhere it's been tried by all who tried it. Eliminating possible
opposition has been tried by some of history's greatest tyrants (Hitler,
Stalin, et al). Making it not possible for any crimes/resistance to
happen is historically proven to be a mistake - no matter how well
intentioned the person doing it was (they all tried to make a kinder,
gentler socialism which worked [and all failed]).
The police are a re-actative force - or that's what they're intended to
be. Expecting them to catch all past, present crimanals is nice - but
impossible to achive at 100%. Expecting them to catch all future
criminals is not in their job description and a VERY bad idea. Likewise,
making them catch and stop people who are not doing anything wrong, but
whose products are being misused for bad is an equally a bad idea.
Simply put, in any working society there will always be a crime rate.
The question is how it's handled once a crime is committed. If the
police are too stupid/lazy to investigate crimes (which I think we both
know happens sometimes), then prehaps it's time to get the officers some
computer training and/or motivation courses, instead of having them sit
in the donut shops 24-7.
> then don't get a job in a liquor store...
Not planning to, but thanks for the advice :)
> > That could be because as long nothing illegal is being done with the
> > viruses, the vX sites have nothing to complain about.
>
> lets face reality here, the people who put up the websites don't follow
> up, they don't check if something bad was done with a virus from their
> site... from a practical standpoint they turn a blind eye, they don't show
> any signs of really caring that nothing illegal was done... the
> disclaimers are hollow and without any real meaning except as a lame
> attempt to cover their own arses (which all disclaimers are, really)...
And how would you propose a system to follow up if a virus from their
site was used for malicious purposes. There is no way at the present
time. If there was a centralized database of malicious virus spreaders
that was accessible from vX sites (that didn't compromise the annonimty
of those of those that pass the check [which is possible with one-way
encryption techniques]), I'm sure that most vX sites would gladly make it
a standard check before allowing any downloads from their sites.
Until such a system is available, then a dialog box of "Do you intend to
maliciously spread viruses? (Y/N)" is about the best they can do (while
still being open to newcomers).
> > So standing 2 hours in line in a government building waiting for the
> > opporunity to fill out a form so you could stand another 3 hours in
> > another line for some license or other, is then, by the same token, also
> > making you a better person for which you should be grateful, right?
>
> waiting in line is not comparable to learning what it takes to become
> competent and trustworthy...
Is that so? Why are you standing in line then? Isn't that the reason
why you're at the ministry of <fill in the blank> in the first place - to
be certified as trustworthy (which naturally takes time)? You should be
happy with the wait, as you're being assured that the time that you're
waiting is being used by them to create a safer tommorow by verifying
that no untrustworthy individuals get past them - including yourself.
> > Please don't underplay the importance of at least occasionally making a
> > stranger feel good or welcome.
>
> there is a time and place for everything...
Oh, most definitely - I didn't mean it should be a primary concern.
> my standard responce is not "go away"... my standard responce informs the
> recipient of how their actions can contribute to problem of virus
> spreading... in the beginning i left the process of coming up with an
> alternative method of operation up to them but sufficient numbers seemed
> to be misinterpreting my intent so it has been revised to include what i
> think is a more responsible model of virus sample aquisition...
I understand what you're trying to do, but it's hardly relevant to the
person who asks "Can someone send me XYZ virus? I'm curoius how it does
function ABC", since they are not trying to distribute the virus - they
are trying to recieve the virus. Thus your posts sometimes sound like
they're aimed more at people who are thinking of responding to them
rather than to those who actually ask.
> > That's my point.
> > A liquor store does not get your ID, cross refernce it with people they
> > are ALLOWED to sell alcohol to
>
> i think you're confused... that's exactly what they do... if the id
> doesn't indicate you're in the *allowed* group (the people over 18) then
> you don't get any...
Afraid you are wrong there.
Group of allowed people is that which is:
(Above18) && (!Drunk) [if you like C syntax :) ]
Their names are not recorded and cross-referenced to some list somewhere
(centralized or not). To get alcohol you simply need to meet those two
simple requirements - hence anonymous. It is not:
(ResponsibleDrinkers) && (!Drunk)
Once the criteria for Responsible Drinking is required, a list has to
exist somewhere of those who fit and who don't. Thus the following
equation is assumed:
ResponsibleDrinker= Above18 && !Drunk
Will that let people slip through the cracks? Of course! As will the vX
assumption:
ResponsibleUser= ReadAndAgreedToDisclaimer.
The closest analogy to under 18 liquor example is for a vX site to block
access to viruses from domains that lie within a country where viruses
are not allowed (I believe there are a few countries like that). Again,
I don't think that that is something vX webmasters would mind doing is
requested.
> what i propose for viruses is *NOT* significantly different than what is
> already done for alcohol...
On the contrary - see above.
> > You apply "reasonable usage circumstances" to a car long enough and it
> > will break down.
>
> reasonable usage circumstances recognize that mechanical wear and tear
> occurs and that machines have a finite usable life span...
We're getting of topic here...
Well, then again, that's not much of a topic is it? :)
> sigh... you're confused again... *stores* represent fairly centralized
> distribution of goods - my web of trust model is, as it's name suggests,
> not centralized - it's a network of people... ergo it doesn't work for
> stores... it works for crooks though...
So you could get samples from person X, but to get a virus from person Y,
you'd either have to get to know Y, or persuade X to get it from Y and
send it to you? Sounds like a hassle - especially if the chain of people
is 40-50 people long.
> booze, *BUT* determining whose hands are the wrong hands with booze is
> significantly easier to do and does not rely on trusting the owner of
> those hands...
>
> with viruses, trusting the owner of those hands is all you've got...
You're making the assumption that above 18 and sober is all that's
required to be responsible. Personally, that doesn't sound like even a
subset, much less an equality to me.
> > Naturally, the
> > quantity of people wanting booze is too great for this. Does that mean,
> > however, that if 50% of the planet suddenly started collecting viruses,
> > that a centralized scheme would become ok too?
>
> no... it is not the number of people who want it that makes it ok...
These were meant more as rhetorical questions, but since you brought it
up... since booze can be so dangerous, why shouldn't it be distributed as
a secure web model too, in that case? (If not for convinience?)
> a little? before the amalgamation the absolute number of homicides was
> ~65 annually (in a city of over 2 million)...
When a city grows really large/crowded, I don't think the crime rate goes
up linearly. But enough about New York - those are memories I'd rather
not dredge up again.
> if they're already competent then they aren't really learning much from
> the virus... at least, not about programming...
>
> > Since I assume some knowlege of the language, it's not unreasonable to
> > assume that a person can judge good code from bad, and/or is unable to
> > find bugs.
>
> that's quite an assumption... definitely not one i'd make... if all it
> took was some knowledge of the language people would be able to recognize
> their own code as good or bad...
Judging from your statements, you're not much of a programmer, are you?
The things gained from source are the algorithms (and implementation
details on how to achieve them). Source code is not meant as a
substitute for knowledge - never has been. Supplementary documents are
often needed to gain a full understanding.
As for locating bugs in source, it's not hard to to spot that someone
forgot to (re)initialize a variable or something equally silly (which is
what most bugs are) once you know how the algorithm works.
> > Most probably there are a few of those out there. I don't estimate it's
> > a very large number however. Afterall, with most spreader, it seems they
> > think: why should they put in the extra effort, if they can be spoon
> > fed.
>
> really? and how many spreaders do you know?
Actually I don't know if I know any. It's not the first question I ask
when I meet someone. I judge this by which viruses are spread, and by my
impressions of the constant stream of people who post "I n33d 4 r3411y
N457y ViRii!!". Maybe I'm not getting a fair cross-section by that - who
knows :)
> > So this "unknown person" does not have a right to annonymity, and must
> > give up all his secrets (to make sure they are not the "unknown bad
> > person").
>
> please... don't put words in my mouth... i now you and you're still
> anonymous...
And yet you stated that you don't trust me enough to send me a virus,
right? You're proving my point.
> > And so we come full circle - sometimes (usually) one has to assume that
> > the person is an "unknown good person" until proven otherwise.
>
> that may be the way you see things, but in practice that's rather
> irresponsible to assume such without basis...
Perhaps. But, it's done all the time in the real world.
Every merchant in the world could be considered irresponsible to some
extent (as they all must sell to people they don't know personally) - vX
sites are no exception.
> they aren't the only "known bad people"... is spanska in jail? no... does
> spanska spread viruses? yes... does one have to be a virus writer to be
> able to spread viruses without getting caught? no...
Yes, there are people who slip between the cracks. Law enforcemnt is not
perfect - live with it.
The fact that Spanska distributes viruses is the fault of vX sites then?
> > > you misunderstand... the vx sites want freedom, they should pay the
> > > price for that freedom...
> >
> > They do. It's called a service fee to be on the net.
>
> wrong fee... the price of freedom is eternal vigilance... *THAT* is what
> you must pay for your freedom...
I was aware of that being what you meant, but my point is that vX sites
are not the ones commiting the evil deads - rather the spreaders who are
consiously breaking the law (unlike the drunks buying boooze as they
could be too drunk to understand).
The vX site can only try to help out after the fact - since the little
prevention/vigilance that could - in theory - be possible, is not
possible yet.
> not inconceivable that if the vx does not self-regulate that they will be
> regulated by they authorities...
>
> which would you prefer? i'd prefer the former, myself... i don't think we
> need any more regulation..
Naturally, I agree with you that government intervention could only
create more problems. The issue here is more how much self regulations
can you reasonable expect from a vX site. I don't like your web-based
security model as it has accessibility and annonimity problems. If an
idea for a better system comes along, there is no reason why I'd not
support it, however.
Bilge
>Replication is simply replication. Viruses need not have any specific
>"malicious" goal in order to still be viruses.
>
So malicious software is ok, so long as replication isn't
involved, but once it replicates, it's a bad thing, huh?
>> What about the recent bill that failed in house of representatives
>
>The house of what? Never heard of them. And who's Bill?
>
As someone in criminology, it doesnt surprise me you aren't familiar
the the government.
>
>If that was an issue, you didn't bring it up previously. How is a
>person being "punished" by being denied access to viral code?
>
Gee. It was the basic concept that started the whole thread.
>I have a friend that works at the local university; he's a
>microbiologist. He works with _real_ viruses (primarily Herpes). Is
>the public being "punished" because he doesn't give out virus samples to
>anybody who asks for them? Of course not.
We weren't discussing biology. But since you answered your own question
anyway, it wouldn't make any difference.
Bilge
>
>its ok to play the game,however the cost can be either a jail term for the
>Author..or in the case of a doctor maybe the potential loss of a patient.
>It all really depends on how high the price is you are happy to pay
>
Let's see, maybe a handful of people have ever been arrested and
the number of infections is, what? I'd say the odds are probably
less than being struck by lightening.
Bilge
>
>now you're being absurd... some systems are more secure because people use
>them more securely?
>
You bet. When you install software on say, VMS, the vendor would not
even consider requiring the code comingled with the system. No vendor
would consider overwriting system libraries, No vendor would consider
having user tmp files in system directories, mail readers read mail,
they dont execute it, you are encouraged to not have sufficient
privilige to hose your system unless you absolutely need it.
Go look at the DEC manuals for security for either VMS or any
of their unix versions. Try solaris. Try plan9 or inferno. Try
QNX. None of those systems encourage the kind of sloppy behaviour
that is built into windows. Front page server extensions were so
ported to unix, presumably with microsoft's idea of security,
and everything it did required superuser privilige while it failed
to deny access to the world. I suppose if you've never used anything
but dos and windows, a multi-user structure that enforces some
concept of privilige is pretty foreign.
>people could use microsoft systems securely, it is not the system that is
>more secure it's the way people use it that is more secure... secure usage
>can be applied to any system...
>
Not when software installs take care of overwriting dll's
and make automatic registry edits to encourage people not
to pay attention to details.
>all 'software' is prone to infection...
>
Write a virus for VMS. Make sure you dont assume you
can run as a priviliged user. VMS should look somewhat
similar to NT. NT was code DEC decided not use from
a similar system called Prism. VMS can control things like
page faulting and working set size on a per user basis.
I doubt you can write code that will infect a VMS
system. I'm certain it can be done, but I doubt you
could find a way to read the disk in any other way
but the file handed to you from a system call. Believe
it or not, other systems aren't so cavalier about
letting arbitrary cod have access to system files.
Bilge
>some systems are not multi-user systems... it doesn't make a lot of sense
>to use a multi-user system when there is only one user, and to do so would
>make the system more difficult to use...
>
Without multi-user ability you can't implement all of the hardware
protection available. If every process runs as a priviliged process,
you cant ever prevent hardware access.
>as the preponderance of macro virus infections in the wild indicates, only
>being able to directly infect your own files does not necessarily limit
>the spread of viruses...
>
It prevents you from wiping out your system and allows you to execute
suspect code compartmentalized from data you don't want to destroy.
>
>yes...
>
>> As an example, I never put a floppy
>> in my system that's ever been on another system. I throw
>> them away.
>
>that's pretty ridiculous...
>
You're disk contents are obviously worth less than the 0.50 for a
floppy. Mine cant be replaced by simple renstall, and it's not
trivial to insure you have up to the minute backups that aren't
infected.
>
>to the stupid, perhaps... not to viruses though... lack of knowledge of
>anti-virus security != stupidity, ergo stupidity is not relevant to virus
>infections...
>
This only reaffirms my belief.
>by the way, why not simply perform an unconditional reformat of the
>floppies? it is wasteful and unnecessary to toss them out...
>
It's not worth the 0.50 cents to screw with it.
Bilge
>
>are you feeling alright? you seem to be missing the point... you used a
>definition... as a matter of courtesy others replied to you using your own
>definition so that we could all be talking about the same thing and then
>you changed your definition when it was made obvious that the first one
>was wrong... don't blame *me* if the wrong words came out of your mouth...
>
Gee. Even in my country no one would have guessed courtesy was
involved. I didn't word anything incorrectly. Perhaps english isn't
your native language. However, since the article I posted received
only one followup that wasn't an attempt to answer my post and the post
has expired on my news server, I'll leave you to your squabbles since
I'm obviously going to have to go elsewhere to find someone that can
program in a language beside VB and x86 macro assembler to get an
answer. It's been real...
kurt wismer
> kurt wismer wrote:
> > this is not a problem with my logic... i'm proposing preventative
> > measures, while you seem to think it's enough to "play catch up" (to
> > borror a phrase)...
>
> :)
> Well, until we have a reliable method of reading peoples minds, that's
> all we have.
no, it's all that's in place, but it is not all we have... we have a web
of trust method... it is already in place in one organization and it
works...
[snip]
> > realistically, we will never be able to catch all the spreaders, if we get
> > all the current spreaders then more will spring up in their
> > place... obviously then simply catching them isn't going to be very
> > effective...
>
> Careful Kurt. You're on the verge of proposing a system that has failed
> everywhere it's been tried by all who tried it. Eliminating possible
> opposition has been tried by some of history's greatest tyrants (Hitler,
> Stalin, et al). Making it not possible for any crimes/resistance to
> happen is historically proven to be a mistake - no matter how well
> intentioned the person doing it was (they all tried to make a kinder,
> gentler socialism which worked [and all failed]).
> The police are a re-actative force - or that's what they're intended to
> be. Expecting them to catch all past, present crimanals is nice - but
> impossible to achive at 100%.
i know this, that's why i'm not suggesting it..
> Expecting them to catch all future
> criminals is not in their job description and a VERY bad idea.
i know this, that's why i'm not suggesting it...
> Likewise,
> making them catch and stop people who are not doing anything wrong, but
> whose products are being misused for bad is an equally a bad idea.
and i'm not suggesting this either... i'm not suggesting anything that
involves police or laws, or anything like that... have you forgotten what
a web of trust is already?
my statement was merely pointing out that catching the crooks, especially
in this context, is going to do little or nothing (since so few actually
get caught) to improve the situation... to put it simply, we cannot rely
on police to fix all our problems... that isn't their job...
> Simply put, in any working society there will always be a crime rate.
> The question is how it's handled once a crime is committed.
no, the question is not how it's handled once it's committed, it's how do
we reduce it...
> If the
> police are too stupid/lazy to investigate crimes (which I think we both
> know happens sometimes), then prehaps it's time to get the officers some
> computer training and/or motivation courses, instead of having them sit
> in the donut shops 24-7.
if you think that is all that's stopping them from catching the malicious
spreaders then i suggest you are rather naive...
[sni]
> > > That could be because as long nothing illegal is being done with the
> > > viruses, the vX sites have nothing to complain about.
> >
> > lets face reality here, the people who put up the websites don't follow
> > up, they don't check if something bad was done with a virus from their
> > site... from a practical standpoint they turn a blind eye, they don't show
> > any signs of really caring that nothing illegal was done... the
> > disclaimers are hollow and without any real meaning except as a lame
> > attempt to cover their own arses (which all disclaimers are, really)...
>
> And how would you propose a system to follow up if a virus from their
> site was used for malicious purposes.
i'm not proposing they do, i know that they can't, which is why the
disclaimers are meaningless...
> There is no way at the present
> time. If there was a centralized database of malicious virus spreaders
> that was accessible from vX sites (that didn't compromise the annonimty
> of those of those that pass the check [which is possible with one-way
> encryption techniques]),
it may be possible to not compromise anonymity, but it is not possible to
generate the list you're talking about... anyways, that would be the same
thing as a certification... anyone whose name isn't on the list is
certified to recieve viruses...
> I'm sure that most vX sites would gladly make it
> a standard check before allowing any downloads from their sites.
> Until such a system is available, then a dialog box of "Do you intend to
> maliciously spread viruses? (Y/N)" is about the best they can do (while
> still being open to newcomers).
i've already pointed out a way they can do better... and there is no
reason to be completely open to newcomers... that is at the heart of the
issue, that is what is so irresponsible...
> > > So standing 2 hours in line in a government building waiting for the
> > > opporunity to fill out a form so you could stand another 3 hours in
> > > another line for some license or other, is then, by the same token, also
> > > making you a better person for which you should be grateful, right?
> >
> > waiting in line is not comparable to learning what it takes to become
> > competent and trustworthy...
>
> Is that so? Why are you standing in line then? Isn't that the reason
> why you're at the ministry of <fill in the blank> in the first place - to
> be certified as trustworthy (which naturally takes time)?
you do not improve yourself by waiting in line, you do improve yourself by
learning to become a better person...
surely you realize that you aren't actually changing while you're waiting
in line....
[snip]
> > my standard responce is not "go away"... my standard responce informs the
> > recipient of how their actions can contribute to problem of virus
> > spreading... in the beginning i left the process of coming up with an
> > alternative method of operation up to them but sufficient numbers seemed
> > to be misinterpreting my intent so it has been revised to include what i
> > think is a more responsible model of virus sample aquisition...
>
> I understand what you're trying to do, but it's hardly relevant to the
> person who asks "Can someone send me XYZ virus? I'm curoius how it does
> function ABC", since they are not trying to distribute the virus
a) you don't know they aren't trying to distribute the virus...
b) you don't know they aren't trying to spread the virus...
c) even if a) and b) weren't true, the very action taken encourages the
giving away of viruses to strangers - and that's an irresponsible thing to
do...
> - they
> are trying to recieve the virus. Thus your posts sometimes sound like
> they're aimed more at people who are thinking of responding to them
> rather than to those who actually ask.
if you don't see how
========
if you must look at viruses, get them privately from someone who knows and
trusts you not to do anything stupid or malicious with them, not
publically from a bunch of strangers...
========
is relevant to the person who asks, then i really don't know what to tell
you...
it is obviously directed to them, it helps them find a new/better way of
aquiring samples... what more *can* be said to them?
> > > That's my point.
> > > A liquor store does not get your ID, cross refernce it with people they
> > > are ALLOWED to sell alcohol to
> >
> > i think you're confused... that's exactly what they do... if the id
> > doesn't indicate you're in the *allowed* group (the people over 18) then
> > you don't get any...
>
> Afraid you are wrong there.
> Group of allowed people is that which is:
> (Above18) && (!Drunk) [if you like C syntax :) ]
> Their names are not recorded and cross-referenced to some list somewhere
> (centralized or not).
no, their names are not used, their names are not needed, because the list
of people allowed to buy alcohol doesn't need to be written down
anywhere... membership in that list can be checked (which is what cross
referencing is - a type of check) without having a physical list...
> To get alcohol you simply need to meet those two
> simple requirements - hence anonymous. It is not:
> (ResponsibleDrinkers) && (!Drunk)
as a matter of fact, responsible drinker is implied by !drunk... if a
drunk is trying to buy more booze then s/he is by default not a
responsible drinker...
> Once the criteria for Responsible Drinking is required, a list has to
> exist somewhere of those who fit and who don't.
nope, it is another list that doesn't have to physically exist in order to
check membership...
> Thus the following
> equation is assumed:
> ResponsibleDrinker= Above18 && !Drunk
> Will that let people slip through the cracks? Of course! As will the vX
> assumption:
> ResponsibleUser= ReadAndAgreedToDisclaimer.
no, that lets ALL people fall through the cracks... the other does not let
all people fall through... liquor stores take measures to keep booze out
of the wrong hands, vx websites take no measures... a filter that lets
everything through is not really a filter...
> The closest analogy to under 18 liquor example is for a vX site to block
> access to viruses from domains that lie within a country where viruses
> are not allowed (I believe there are a few countries like that). Again,
> I don't think that that is something vX webmasters would mind doing is
> requested.
i've already explained why vx websites can't do things the way liquor
stores do things... there is no way to immediately judge appropriateness
of a request for viruses as there is for booze, therefore a deeper
relationship of trust is required...
> > what i propose for viruses is *NOT* significantly different than what is
> > already done for alcohol...
>
> On the contrary - see above.
not on the contrary, i've already explained why they are the same, both
take active measures to keep goods out of the wrong hands.. they just use
different means of determining which hands are the wrong hands (because
they have to)... you seemed to have snipped that part out...
the disclaimers are not a real measure, no one is actually stopped by
them...
[snip]
> > sigh... you're confused again... *stores* represent fairly centralized
> > distribution of goods - my web of trust model is, as it's name suggests,
> > not centralized - it's a network of people... ergo it doesn't work for
> > stores... it works for crooks though...
>
> So you could get samples from person X, but to get a virus from person Y,
> you'd either have to get to know Y, or persuade X to get it from Y and
> send it to you? Sounds like a hassle - especially if the chain of people
> is 40-50 people long.
you're still confused... the point is not to get a sample from a specific
person, but simple to get a sample... it doesn't matter who it came from
or what path it travels in the web of trust to get to you... person y is
almost guaranteed not the be the only person with a sample of the virus in
question...
> > booze, *BUT* determining whose hands are the wrong hands with booze is
> > significantly easier to do and does not rely on trusting the owner of
> > those hands...
> >
> > with viruses, trusting the owner of those hands is all you've got...
>
> You're making the assumption that above 18 and sober is all that's
> required to be responsible. Personally, that doesn't sound like even a
> subset, much less an equality to me.
it's enough to prevent the act of irresponsible drinking (except where 3rd
parties are involved - and there's nothing that can be done about that)...
> > > Naturally, the
> > > quantity of people wanting booze is too great for this. Does that mean,
> > > however, that if 50% of the planet suddenly started collecting viruses,
> > > that a centralized scheme would become ok too?
> >
> > no... it is not the number of people who want it that makes it ok...
>
> These were meant more as rhetorical questions, but since you brought it
> up... since booze can be so dangerous, why shouldn't it be distributed as
> a secure web model too, in that case? (If not for convinience?)
because there aren't enough people to act as distributors...
[snip]
> > > Since I assume some knowlege of the language, it's not unreasonable to
> > > assume that a person can judge good code from bad, and/or is unable to
> > > find bugs.
> >
> > that's quite an assumption... definitely not one i'd make... if all it
> > took was some knowledge of the language people would be able to recognize
> > their own code as good or bad...
>
> Judging from your statements, you're not much of a programmer, are you?
well, i won't pat myself on the back (i might break my spine) but i am a
programmer... i've been programming for 14 years, i've programmed in
basic, c, assembler, perl, object oriented turing, java, c++, a couple of
shell script languages, etc, etc...
it's really (*really*) hard to go through a computer science program and
not be at least reasonably good at programming...
> The things gained from source are the algorithms (and implementation
> details on how to achieve them).
so? that's not the assumption i'm talking about... i know things can be
gained from source code... it's the assumption that it only takes some
knowledge of a language to be able to decide what code is good and what
code isn't... it takes a lot more than just "some" knowledge...
> > > Most probably there are a few of those out there. I don't estimate it's
> > > a very large number however. Afterall, with most spreader, it seems they
> > > think: why should they put in the extra effort, if they can be spoon
> > > fed.
> >
> > really? and how many spreaders do you know?
>
> Actually I don't know if I know any. It's not the first question I ask
> when I meet someone. I judge this by which viruses are spread, and by my
> impressions of the constant stream of people who post "I n33d 4 r3411y
> N457y ViRii!!". Maybe I'm not getting a fair cross-section by that - who
> knows :)
you aren't getting a fair cross section... i made the implication about
people who post those requests not being representative of the whole of
virus spreaders before...
> > > So this "unknown person" does not have a right to annonymity, and must
> > > give up all his secrets (to make sure they are not the "unknown bad
> > > person").
> >
> > please... don't put words in my mouth... i now you and you're still
> > anonymous...
>
> And yet you stated that you don't trust me enough to send me a virus,
> right? You're proving my point.
so? i don't trust david chess enough to send him viruses... i don't trust
bruce burrell enough to send him viruses and i met him face to face
once... i'm an exception, i said that before... maybe you need to keep a
tally sheet of all these points, you seem to be losing track of some of
them...
> > > And so we come full circle - sometimes (usually) one has to assume that
> > > the person is an "unknown good person" until proven otherwise.
> >
> > that may be the way you see things, but in practice that's rather
> > irresponsible to assume such without basis...
>
> Perhaps. But, it's done all the time in the real world.
> Every merchant in the world could be considered irresponsible to some
> extent (as they all must sell to people they don't know personally) - vX
> sites are no exception.
but they are an exception... they take literally no concrete measures to
keep their goods out of the wrong hands...
> > they aren't the only "known bad people"... is spanska in jail? no... does
> > spanska spread viruses? yes... does one have to be a virus writer to be
> > able to spread viruses without getting caught? no...
>
> Yes, there are people who slip between the cracks. Law enforcemnt is not
> perfect - live with it.
> The fact that Spanska distributes viruses is the fault of vX sites then?
no, did i say it was? no.. spanska spreads his own viruses, he's a virus
writer... do you need to be a virus writer to spread viruses without
getting caught? no... ergo there are spreaders spreading viruses that
aren't their own viruses... where did they get them? where is the easiest
place to get them from? vx sites...
> > > > you misunderstand... the vx sites want freedom, they should pay the
> > > > price for that freedom...
> > >
> > > They do. It's called a service fee to be on the net.
> >
> > wrong fee... the price of freedom is eternal vigilance... *THAT* is what
> > you must pay for your freedom...
>
> I was aware of that being what you meant, but my point is that vX sites
> are not the ones commiting the evil deads
that is not relevant to the statement... it is not the evil people who
must be eternally vigilant, it is *ALL* people who want their freedom...
> - rather the spreaders who are
> consiously breaking the law (unlike the drunks buying boooze as they
> could be too drunk to understand).
> The vX site can only try to help out after the fact - since the little
> prevention/vigilance that could - in theory - be possible, is not
> possible yet.
it is entirely possible right now, i've already described how it
can be done... the only thing standing in it's way is apathy...
> > not inconceivable that if the vx does not self-regulate that they will be
> > regulated by they authorities...
> >
> > which would you prefer? i'd prefer the former, myself... i don't think we
> > need any more regulation..
>
> Naturally, I agree with you that government intervention could only
> create more problems. The issue here is more how much self regulations
> can you reasonable expect from a vX site.
more than zero...
> I don't like your web-based
> security model as it has accessibility and annonimity problems.
controlling access is what security is all about... and there are no
anonymity problems... you can retain your anonymity, it may make things
more difficult, but you can retain it...
> If an
> idea for a better system comes along, there is no reason why I'd not
> support it, however.
this system is better than what is currently in place...