-----BEGIN PGP SIGNED MESSAGE----- Submitted to Crisnews By: James Lipshultz, Esquire Computer Specialist/Computer Security Officer/ Computer Forensics Specialist United States Federal Government, Law Enforcement Branch - ---------------------------- Start of Article ------------------------------- "Treasury Department doing an excellent job on educating U.S. Government Security Officers, Professionally jealous mystery person causes weak willed government management to crumble at his vaporous words." The actual headline in the Washington Post was: "Treasury Told Computer Virus Secrets, Whistleblowers Halted Display Available to Anyone With a modem." Please, give me a break! COMPUTER VIRUSES ARE A SECRET ONLY TO COMPUTER ILLITERATES! The article in the Washington Post on Saturday June 19, 1993 was a myopic, yellow journalistic piece designed to malign the reputation of Kim Clancy who is an outstanding U.S. Government's Security Officer working for the Treasury's Bureau of Public Debt., AIS Branch. Washington's alternative newspaper, "The Washington Post", appears to have been manipulated by Paul Ferguson (an apparent Anti-Virus Sycophant Groupie) who supports and echoes the extreme self-righteous, pious, whimpering of a coward who posted an anonymous message in the risks forum which condemns the BBS run by the Treasury Department. Ferguson's comments appear to mentored by a corpulent self serving British Anti-Virus vendor whom I will refer to as possibly being Paul's "Stromboli". (The Puppet Master in Pinocchio who makes the marionettes magically dance.) +<|:) The quote in the Post by Ferguson was incredibly muddled, obtuse, and boorish. It is a globally known fact that in any debate analogy is not valid because it has nothing to do with the subject matter. As a computer consultant who thinks a computer virus is, as quoted in the Post,".... like leaving a loaded gun around and people saying: 'It's not my fault if someone picks it up and shoots himself in the head with it.'". Who are you kidding Paul? Do you really think that source code is the same as a hand gun? Viruses have no relationship to handguns at all. If this comparison was valid, wouldn't it have been enjoyable to have heard that when the riots broke out in South Central L.A., that the rioters held up store owners with floppy disks containing virus source code in ASCII format or were seen pointing printouts of virus source code. +<|:) If you need education in computer source code versus handguns, allow me to direct you to the nearest University for an education in computer programming, the NRA for handgun enlightenment, and G. Gordon Liddy to learn how to correctly form a sentence as well as use a handgun. Is it ethical or moral for you to own the Trident Polymorphic Engine that you got from a virus BBS? Do you consider yourself two-faced for engaging in this practice of downloading viruses from virus BBS's? Perhaps you should take a closer look at your own ethics before you venture opinions about a respected security officer in the Federal Government. Do you now see how ridiculous you sound? Do you believe that anyone who owns virus source code is immoral or unethical? If so, then when does it become ethical and moral to own source code? Another statement by Paul Ferguson on computer viruses sounds like an advertisement for an Anti-Virus (AV) vendor. "The potential for virus damage has increased geometrically as big isolated mainframe computers are abandoned in favor of networks of small PCs--some worldwide in scope--through which the viruses can migrate. Because of the distributed nature of the network, a virus can now reach thousands of machines, requiring hundreds of thousands of dollars of man-hours to clean up once infected.' " Let's examine this statement. What is the basis of this statistical claim? Is it real or is it Memorex? Hmmm...... Geometrically?.... Are you sure? How about exponentially or is it linear? Maybe you should have said "To obtain the proper potential for virus damage we multiplied the growth rate based on The Theory of Relativity which we then divide by the Gamma Factor, which, as we all know, is the inverse of the square root of one, minus Planck's Constant divided by C squared, C being the speed of light which as we all know is an absolute." Whooo Weee, next time baffle the press with heavy duty BS, Paul. +<|:) On what type of network operating system does the situation you describe occur? On networks with at least a C2 level of security? Is it because everyone is allowed physical and write access to the server, or because the System Administrator is a total incompetent or computer illiterate? Is it correct to assume that most Sysops are so ignorant about viruses that most networks are not running Anti-Virus software? Paul, once again I think you have overstated yourself. I believe you should have said: "If a network sysop is a secretary with no computer skills and the network has no security whatsoever and everyone on the LAN is allowed to bring foreign software and execute it on the server, then a virus that is specific to the network operating system has a chance of remaining undetected and traveling." (Notice I kept your sentence structure so that it would look like your words.) +<|:) Coming in at a very close second in my hit parade of insipid comments was Bruce Sterling, the author of the mostly dry and mildly entertaining "Hacker Crackdown...Bla Bla Bla". Bruces's equally ridiculous quote appears to have been made to get his vanishing name in print. He made virus source code "the equivalent of how to commit arson, or hot-wire cars." Would you be willing to submit to a drug test Bruce? Maybe you should return to writing fiction since you have such a wonderful imagination. Would you please cite the instances were a house was burned down and the fire marshal attributed the cause to virus source code? Have you ever heard of a police officer who said a thief has been starting cars with virus source code? I am so impressed by your brilliant quote: "Every maladjusted sociopath with Coke-bottle-bottom glasses has no trouble finding this stuff. The police are the only ones not allowing themselves to look at this stuff." Wow, I'm having trouble understanding why you did not seek a career in law enforcement. It is apparent that you would know the Bad Guys because they are the ones with the close-set beady eyes. Bruce, if maladjusted sociopaths exist, are there any adjusted sociopaths? As a "professional" writer I would assume that your verbal and writing skills to be better than most. May I make the following suggestion? Look in the dictionary and learn the meaning of the word malapropism before you write anything else. By your quote, are you saying that all sociopaths wear coke-bottle-bottom glasses and thus have gravitated to fulfilling the quest of the unholy grail by seeking out people with virus source code? Why not type cast people by race? Take a good look at the people who code Anti-Virus products. Some of them have thick glasses, though we both know that they would never spread a virus? (Yea, Right!) As for the police not looking at this stuff, I have to assume that you imply all law enforcement officers, County, State, and Federal. Law Enforcement knowledge regarding computer crimes is far better than you ever dreamed and we do gather knowledge from virus BBS's. As a brotherhood, we share knowledge to help fight the war on crime, so don't ever sell us short. It is apparent that you are unaware of the skills of computer specialists in the federal government, especially in federal law enforcement agencies. I will give you credit for conveying the idea that Kim Clancy was very good at her job, though you give it an edge that leaves one feeling that she is brilliant but somehow demonically twisted. (Oh help me Obiwan, she is succumbing to the dark side of the force.) :) Kim Clancy is a decent hard working person who attained her knowledge and status by intense work and study. She is respected because she knows, understands, and can articulate computer security subject matter in a concise clear manner, something beyond the ability of you and your ilk. What you have done is to sensationalize an event that has been blown totally out of proportion. Your choice of words is the type that sells publications such as the Washington Post and the National Enquirer. Do you understand why your comments are ludicrous? In the future stay away from analogy and please take some courses in English before you write your next book, or at least talk to Mr. Liddy. Dial 1-800-G-G-LIDDY Monday through Friday, right after the lovely and talented Howard Stern. :) I was further upset by the way in which the Washington Post sensationalized what was on the board. Where, oh where, did the Washington Post get their all their info? Mmmmm? "The board also made available hundreds of "hackers' tools"--The cybernetic equivalent of safecracking aids. They included "password cracker " software."...and Bla Bla Bla. Wow, wake the kids, phone the neighbors, someone has a BBS with files that will hack a password! (Uh-ohhh, Frankenstein is on the loose!) :0 Several things to note here: o Many companies make their living by selling software that returns the password used in the proprietary scrambling of WordPerfect, Lotus, Paradox, Excel and others. o Also, there is software that takes a brute force approach to breaking the password to PKZIP v1.1 encrypted files. The article leads one to believe that the BBS had a piece of software that could crack any type of encryption, possibly endangering National Security. The Washington Post should have specified what type of encryption breaking software was available. Instead, the Post failed to inform the reader that the encryption breaking files on the Treasury board were nothing of any major significance. It's just that encryption breaking sounds good and satisfies the tabloid readers who have "inquiring" minds. :) The catalyst that started this avalanche of Bravo Sierra (BS) appeared from the Risks Forum. The article was submitted by a coward who refuses to reveal his identity. I will restate his words and comment on this trash directly from the RISKS14.58 which I downloaded from The Treasury's AIS BBS. I will not use the direct quote from the Washington Post since they omitted several sentences. (By the way, how can a publication put quotes marks around a statement and then not have it reflect the exact words that were actually written? Can you answer this Joel? Back to English 101 for you Joel.) I will put the Post's quote in CAPS that the reader can see how it was edited. I will include my wonderful and insightful comments, in parenthesis, where appropriate in the text. "This text was forwarded to me by a friend and professional colleague in the UK. I AM DISMAYED THAT THIS TYPE OF ACTIVITY IS BEING CONDONED BY AN AMERICAN GOVERNMENTAL AGENCY. I can only hope that this operation is shut down and the responsible parties reprimanded. I AM EXTREMELY DISTURBED BY THE THOUGHT THAT MY TAX MONEY IS BEING USED FOR WHAT I CONSIDER UNETHICAL, IMMORAL, AND POSSIBLY ILLEGAL ACTIVITIES." ... Insert screen captures from the menu of the Treasury's BBS here... "I submit this text in an anonymous fashion for fear of reprisal. (COWARD!!!) I respectfully request (lick, lick, kiss, kiss...my what a brown nose you have Pinocchio.) that it be posted to both VIRUS-L and RISKS Digests. I think the risks of Government sponsored virus exchange are crystal clear." (To whom, Pinocchio?) Who is this person who so frivolously throws such strong words around but is to afraid to put his name to them? (Like we really don't have a clue, we're so naive.) Mr. Anonymous also states that he is afraid of reprisals from the Treasury Department. Does this person actually believe that the Treasury Department engages in retaliation for negative comments to their polices and procedures? The Treasury Department is staffed by some of the finest law enforcement and non law enforcement personnel, who probably have the finest morals and ethics in the Federal Government. "Anonymous" used all the correct government buzzwords that will send any meek GS management scrambling to cover their ass. The good old boy alarm is activated, memos start to fly and the process of denying knowledge of the activity begins. Weak willed government management cringes at the thought of a memo with the words tax money associated with "unethical, immoral, and illegal". Damage control is enacted and the weak kneed management buckles under to the words of a ghost. What a shame that Kim's BBS was so easily raped and reduced to mediocrity. Peter Hollenbach's words were irresponsible and ill chosen. His first mistake was to state that the Treasury Department had made a mistake which they were scrambling to correct. It implied extreme ignorance on management's part. The paragraph in the Washington Post stated: "The Treasury Department has little idea who has dialed up the bulletin board, and what has been copied out of it", said spokesman Peter Hollenbach. "Hence it is impossible to judge if any damage has been done." Is this the best you can do Peter? Where is your head making these outrageous statements? You answer in the extreme negative and leave out the positive. You should be fired for gross incompetence in handling damage control! The Treasury Department definitely needs a person who will stand up for its people and the Agency. Where the hell is your pride? Kissing ass of the politically correct makes you sound like a roll over wimp and a poor liar. I used the "I didn't know" excuse in grade school. Please ... be a man! A strong willed, organized, management would have admitted that they were aware of, and defended, Kim Clancy's actions. I believe the Treasury Dept. AIS management should have publicly announced that they were putting her up for a performance award and done it! (No Guts, No Glory!) Hollenbach should have said that the board had been running for several years with the full knowledge of the Anti-Virus community and not one (or say most all) AV vendor had complained. Nor have they received any complaints from the ICSA, NCSA, EICAR, or CARO (once again list the "big" guys who do not complain; do you understand yet, Hollenbach?) who are all fully aware of the boards existence. In fact two members of the Computer Antivirus Research Organization (CARO) actively encouraged Kim to obtain more computer professional programming files (commonly called hacker files by the press neophytes). They did not complain that the BBS distributed because they were among the organizations who downloaded these files. The Anti-Virus industry as a whole did not complain that the board was immoral or unethical and encouraged its existence. Most importantly, the board provided extensive help to security personnel throughout the Federal Government and helped other security officers in their endeavors to achieve outstanding performance in securing their agencies networks. (Period, end of statement!) See how it works Peter, stand up for the Treasury Department and its people. Don't be pushed around. Tell the press how really ethical, moral, and loyal Treasury personnel are, and mean it! The Federal Government is providing you with a fine job. Drop the coffee cup from one hand and the paycheck from the other and get your sorry ass in gear, mister! (Semper Fi!) If you don't know what to say, tell the press that a statement is being prepared which will be released in a few days. By so doing, you've given yourself time to think clearly and form a good plan by talking to people who understand the problem clearly. Thus, you do not embarrass the Federal Government. In addition, never admit ignorance or try and back-pedal, the Washington Post twisted your words to make you look foolish. Remember above all, Peter, the truth is the easiest to remember.(Truth is your shield and knowledge is your weapon. You had both and didn't use them!) On to the next topic, the quote in the Post that states "'...since the complaints began, Treasury officials, while not disciplining Clancy, have shut down the 'underground' portion of her bulletin board.' "It is not consistent with what we originally set out to accomplish", Hollenbach said. "We decided to refocus back to our roots." Since complaints began? How many complaints were lodged against this BBS? I would like to count the complaints. (on the fingers of one hand, I'll bet!) How many letters of support and accolades from competent Federal and private security officers has Kim Clancy received? I would wager that the support letters "geometrically" +<|:) outnumber the holy (two faced) self-righteous letters. Wake up everybody! The AV people trade more source code and viruses than anyone! I know because I trade with them. I have their infected goat files with their Company names in them! Shutting down the Treasury BBS has not vanquished some evil, it is insuring that vendors will control the market place and tell us only what they deem appropriate. You "Pinocchios" not only need a conscience, you need common sense. You are being used as pawns in a game for control of the market place, and your being made into politically correct fools. Third on the chart of laughable Post quotes is Neumann... 'Neumann of Risks Forum, however, is troubled by Clancy's actions. "It is the classical double-edged sword. It might help, and might hinder. (You should have stopped your quote at this point, however you had to step in it by going on. Now your doing that special one shoe tap dance... Ugh!) You're looking at a potential for serious disaster", he added. "If you're talking about life-critical systems --air traffic control, for instance-- it means killing people." Another brilliant thinker? All I can say is if you are stupid enough to run a DOS based network for critical systems such as air traffic control, people will probably die anyway, even if there are no viruses. Have you ever had a DOS system hang due to a conflict with a TSR? (Duh!) --- DOS is a real C2 secure operating system isn't it? Maybe an Apple or an Amiga system would be better for Air Traffic Control. Hmmmmm? Those are at least as secure as MS-DOS ...please spare me your platitudes, Neumann. The Treasury BBS did not have any viruses that would take out the Air Traffic Control System or some other Mission critical system. Let's come back to earth please. Neumann, do you have an understanding of viruses or are you just like the other computer illiterates that hear the word virus and pull out their verbal Excalibur swords to attack? Next time, truly know your enemy before you attack. An interesting experiment by one virus author involved tracking viruses through the AV vendors. The author sent his virus up to one big name AV vendor. Two months later in was in VSUM and it was sent back to him by overseas underground virus BBS's in three months. I call that an interesting experiment with a powerful statement on the propagation of viruses by the AV community itself. Several virus writers have told me that they are coming together in their efforts and are becoming more politically aware in pointing out hypocrisy. One virus author alleges that he created a virus called "SARA" with a unique X-rated graphics as a statement of hypocrisy in a AV groupie who hounded and begged Mark Ludwig at an AV convention for a copy of his book "The Little Black Book of Computer Viruses". Upon finally selling her (What is the name, Hmmmmm?) a copy to get her to leave him alone, she allegedly ran around holding Ludwig's book above her head shouting "He sold me a copy, he lied, see." (Ludwig promised not to sell a copy of this book at the Conference. - If this is true, lame stunt to pull Sara! Shame on you, bad girl, bad girl, Grrrrrrrr.) This same person was later heard saying that she planned to publish a book containing the Sysop name, actual name, addresses and phone numbers of all the virus sysops. (Obviously a money junkie in need of a quick fix. How popular could this possibly be? I believe the author of such an endeavor better be correct, and be able to back it up, otherwise it sounds like a class action libel law suit . Not good for profits.) This allegedly created a big commotion among the sysop community. Virus authors are also attacking the lack of programming skill of some popular AV developers to demonstrate how the public is getting stuck with inferior AV products. For example McOversized Wallet's scanner only catches about sixty percent of the viruses generated by the Phalcon-SKISM Mass Produced Code Generator. In addition, NPOX attacks the lack of internal security checks in CPAV. On the other hand, there are some exceptionally outstanding virus scanners, such as Fridrick Skulason's F-PROT. He has about, if not the best scanner/disinfector on the market. Frisk is truly a person dedicated to stopping the virus problem by making his AV software available for ONE dollar, thus the public can choose quailty protection for their PC that is affordable. Another alleged story in the underground goes like this: a meeting of AV people was held in New York and "Stromboli" was running the show. During the lunch break a computer "criminal" broke into the room and stole the minutes of meeting. The minutes reported the AV organization would deny the existence of their virus collection. Thus they would not have to share them with anyone else. (Squeezing out competition and raising prices later.) Sounds like a Cartel to me. Wow, can this be true? An AV person worrying more about profits and eliminating competition than fighting the war on computer viruses? But when "Stromboli" talks all he can say is how unethical and immoral those people are who possess viruses or even source code. Perhaps the Federal Trade Commission should be notified of unfair competition in the market place. I would also hope that a government agency takes control of a super set of all viruses from all the companies and sets the naming standard (NIST could do this.), as well as keep the viral search strings and algorithmic patterns of ALL anti-virus vendors. Thus any new vendor could apply for a set of viruses from this agency and not be prevented from entering the market because of a lack of test viruses. Every time a vendor at home or overseas updates his product he would then submit the new viruses to this governmental agency, along with recompilable AV product source code. The Federal Government would thus have an accurate comparison of the existing marketed version and would protect consumers from shabby anti-virus products, because these would have government approval. The ethical conflict of vendors controlling source code and viruses while assuring us, with a toothy grin, that their products work, would be solved. I think this idea could work and should be expanded upon. It would seem to be a better idea than trying to keep citizens from owning virus source code or compiled and executable versions for test purposes. Maybe the average citizens should contact their senators about enacting some legislation to enforce standards on AV products that purport to protect our computer disks. I hope the Federal Government would be in control of a complete library of source and compiled, viruses insuring product quality and competition among AV vendors. Thus, the consumer would be relieved of virus fears by superior products and competitive pricing. Thus, ALL individuals who choose to own source code and viruses will maintain this freedom. I am asking for a response from the user community on these next few questions: o If viruses are illegal in the UK, then why does "Stromboli", in PRIVATE industry, control the largest set? o Why doesn't the British government control access to the viruses? o If it is illegal for a private citizen to own or trade viruses in the UK then why hasn't "Stromboli" been arrested for trading viruses locally and internationally? o "Stromboli's" goat file viruses are showing up on virus BBS's and infecting American PC's. o Is "Stromboli" trading with virus BBS's to get the latest viruses? o Can the U.S. Government hold "Stromboli" responsible for his virus infected goat file infecting any Federal PC's? o Should Americans complain to The State Department to press for action against "Stromboli" for importing viruses into the US, while violating the laws of the UK? (How dare you... you... you... phony internet mail virus Importer/Exporter., P.S. Thanks for my set.) "Stromboli", you and you alone are ultimately responsible for the spread of the viruses with your company logo attached. What did your fellow CARO members say when they received a large set of viruses from an American virus BBS that contained your virus infected goat files? (Holy Moly Dude, the monster you created is coming back to bite you in the ass.) The news media is constantly being manipulated by special interest groups that stand to financially benefit from politically correct views. At the same time, the papers are constantly looking for ways to create cover stories which support their political agenda and enhance stories that sell their publications, making huge profits. (Don't get me wrong I'm all for profit and big business. Go Gates!) However, when it comes to attacking one of the government's most respected Security Officers I feel the news media was fast to move and slow to screen bias in their stories. I also feel that Ferguson, Sterling, Hollenbach, and Neumann should present a written apology to Kim Clancy in an open public forum. Viruses are an overblown phenomenon created by people who make money from the existence of viruses. Remember the Michelangelo virus, a big dud in the real world, except for the AV people's McOversized wallets? Viruses do exist, though they are a very small problem for an ethical and knowledgeable sysop who follows common sense computing practices. Do you bootleg software? Do you download strange software files offered by various BBS's and execute the files on your server? Do you share or trade floppies with your friends at work or home? Do you import software from your home PC? If so, does anyone else (like your college son) operate software from the university on your PC? Is your PC devoid of Anti-Virus Software? If you answer yes to any of the above questions, your own ignorance and laziness will insure you someday get a virus. In conclusion, you moral majority types are neither moral nor in the majority. As a law enforcement computer security officer and computer forensics specialist, I have been told I am not responsible enough to own viruses, by the same AV people who trade viruses among themselves. Since the response was usually, "We don't want to be responsible for spreading viruses", it was all I could do to not speak out and call them hypocrites. It is time that certain vendors stop telling us how to think. and what we can or can not do as regards computer source code, viral in nature or otherwise. AFTER THOUGHT: to Peter S. Tippett, has any anti-virus vendor signed the "Anti-Virus Developers, Publishers and Professionals Code of Ethics" (My Copy is) Draft 1.3, 11/19/91 (a noble attempt by a decent fair minded person with a good idea, brought forth at the NCSA 1st International Anti-Virus Product Developers Conference on 11/25/91). As I recall, not one AV Developer was willing to sign it, and it scared the hell out of most of the AV people. Has it been improved on and has anyone signed it? I would like to see the names published in the Washington Post of the AV people who signed and did not sign an ethics agreement. Will the signature count be greater than two, including yourself? ------------------------------------------------------------ || My message to the coward "anonymous" in the RISKS FORUM. || || || || Quid Pro Quo || || || ------------------------------------------------------------ Author: James Lipshultz, Esquire Computer Specialist/Computer Security Officer/ Computer Forensics Specialist United States Federal Government, Law Enforcement Branch (Special Thanks to Mr. Frank Tirado, US Federal Government, for editing and comments.) -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLNc4fqM4CDusTF+9AQEw8AH+LUu5hrDdEgMgASODbHNJKHxeJR+TEYho ISK524VijuyRYp0C9pcibT2/N1ygoprKfIUKWIO4/NhI8OVB5+wAHQ== =4Whm -----END PGP SIGNATURE-----