1993-08-20 - KOH virus (long)

Header Data

From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
To: cypherpunks@toad.com
Message Hash: e324b4a4968eb4a591be8c26405f4d838e441c3a4b2c4e6857583b4ca26afee6
Message ID: <9308202211.AA08607@flammulated.owlnet.rice.edu>
Reply To: N/A
UTC Datetime: 1993-08-20 22:17:04 UTC
Raw Date: Fri, 20 Aug 93 15:17:04 PDT

Raw message

From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
Date: Fri, 20 Aug 93 15:17:04 PDT
To: cypherpunks@toad.com
Subject: KOH virus (long)
Message-ID: <9308202211.AA08607@flammulated.owlnet.rice.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Fellow cypherpunks,

While I am woefully behind in cypherpunks mail, at this time I wish to pick
the discussion on the potassium hydroxide program.  I beleive this is 
relevant to the list, so I'm posting to the list.  So as to not try
everybody's patience, my own personal opinions and experiences are contained
in a section so delimited toward the end.  Also, some concerns brought up
previously are also contained in their own section, before my opinions.  So
you can stop reading at any time :-).

In summary, I am posting this because I intend to post KOH code when it 
becomes available.  The feelings expressed about this may very well affect 
the future of the list.  In fact, I may post to virus-l because it has come
to my attention the topic has surfaced there as well.  And I know that
anti-virus professionals are always interested in the facts of any matter.

A few people have requested copies of the program from me, and I know of
at least one person actively working on a disassembly.  I mention this
partly in an effort to mentally prepare some people on this list for
an event that is certain to happen in the future: the posting of KOH
source code.  I say this: when a disassembly of the program becomes
available, if I receive a copy, I fully intend to post it to this list.

I would like to point out the charter of this list includes the phrase
"Cypherpunks write code."  As we all know software development is a time
consuming process and thus not many programming projects are discussed,
due to complexity, time constraints, slow development, etc.  One such
project a few list readers expressed interest in was the so called
"CryptoStacker" project - a program which would funtion very much like
Stacker does (it automatically compresses and uncompresses disk drives)
except the CryptoStacker would automatically encrypt and decrypt.

Suddenly, a program which claims to do all this surfaces.  KOH claims to
install itself, encrypt and decrypt with IDEA and an unspecified quick
algorithm, and uninstall from the hard drive on request.  The author
explicity states he intends no maliciousness, and will even accept bug
reports and perform patches.  How then can we ignore such a program?

Now the author called his program a "virus", a word that is treated with
near hysteria by some.  I don't give a damn if the author calls his program
a virus, a program, an automatic encryption program, Pretty Automatic
Privacy, a universal Turing machine, or a duck-billed platypus.  The fact
is this program fill the need of many users, or may advance the state of
art in automatic encryption programs.  It most certainly will be helpful
to see IDEA implemented in assembly - perhaps this could be used to many
advantages, in PGP, other packages, etc.

A bit of the disassembly has been performed - and apparently the program
installs itself in memory, hooks various interrupts, and installs itself
on floppies, marking off sectors as bad.  I don't know how Stacker 3.0
stacks floppies to make them portably uncompressable (that is, you can
stack a floppy, and still use it on a system that doesn't run Stacker), but
it is clear it must reserve part of the disk as being used, at least to
contain the decompression routines.  It is also clear that Stacker installs
itself into memory, and hooks various interrupts to compress/decompress
on the fly, like KOH does.  

If this is too close to viral activity, then I ask the anti-virus 
professionals exactly how did you expect a program of this nature to work?
How can a program like stacker funtion if it doesn't hook interrupts,
install into memory, and place certain routines on floppies?  Answers to
these questions may direct efforts and work in another direction more
pleasing to some.

Now, I'm not going to waste my time looking for an official anti-virus
community sanctioned example of a program which does the above.  KOH
is here, and we may learn and benefit from it.

PREVIOUS CONCERNS

Some people wrote in objections to the list about the KOH "virus".  So as
to diffuse a potentially emotional situation, I am not crediting the
original authors, and am paraphasing their statements.

One person expressed concern that all viruses carry potential for damage,
and that a legitimate program would be better.

1) Yes, viruses carry potential for damage.  But the author of this one
   states he intends no malicious behavior.

   * perhaps somebody could enlighten us as to how a program like stacker
     or KOH is supposed to work in "legitimate program" form.  Both
     programs must obviously hook DOS systems calls, install into memory,
     and place "undoing" routines on floppies.

   * not to insult anyone, but to imply that only viruses carry potential
     for damage is a pretty outrageous selective use of facts.  PKZIP and
     PGP both had bugs which caused lost data, and even DOS itself has a
     buggy CHKDSK command.

{at this time I would like to apologize profusely to Phil Karn, Hal Finney,
Derek Atkins, Edgar Swanks, Phil Zimmerman, and anybody else involved in
PKZIP, PGP, or creating software in general.  The people devote hours of 
their time and expertise towards programs which help thousands of users; I 
am not poking fun of anybody or blaming them or anything like that.  I just
wish to point out that modern software is complex, configurations are 
uncountable, and that despite the best efforts, mistakes are made.  
Fortunately, most are caught quickly and corrected.  I don't think anybody 
can expect perfection.}

Another person expressed concern that the software comes with no explanation
of ramification.

2) Well, I have some interesting news: no software does.  In fact, after
   checking the manuals for every piece of commercial software I could find,
   I discovered that all software comes with two disclaimers:

   1) The manufacturer does not guarentee the software even works
   2) The manufacturer disclaims all damages

   So perhaps those who wish such promises from a public domain encryption
   program are expecting a lot given that there isn't even any commercial
   software which does this.

{interesting crypto relationship to reputation markets.  The software 
industry is a billion dollar industry that sells products not even
guarenteed to work, all damages disclaimed.  How then is the industry
so successful?  Answer: reputations.}

PERSONAL OPINIONS

Well, I'll keep it brief since if you've read this far, you are probably
getting tired :-)

* I do not condone or encourage speading malicious code, especially to
  novice users.  Perhaps the worst thing that viruses do is create a 
  sense of fear among people already intimidated by computers.  

* However, I don't see anything wrong with knowledgeable users who accept
  the risk sharing code.  Naturally, I expect they will take responsibility
  for their actions and not seek to destroy anybody elses property.  Keep
  it local, use your skill to everybody's advantage.

* I think viruses are severly over-hyped.  

  It is my deepest nightmare to one day open the paper and see the headline
  "Planet Earth Knocked Out of Orbit by Computer Virus!"

  Eventually with fancier security (operating system wise), cryptography 
  (message digests, authentication), and research on virus scanners the 
  problem will go to zero.

  Yes, I know it is impossible to have a program perfectly detect viruses.
  But in my own reading it seems that it is possible to have one program
  have no false positives (but some false negatives), and another have no 
  false negatives (but some false positives).  The combination of these two
  scanners would then be optimal.

  If this is incorrect reasoning, please let me know, with an explanation
  if possible.

* I've lost 10 minutes of work because of the nVIR virus on the copy of
  CricketGraph I once used.  I lost one whole week of work (2400 minutes)
  helping figure out why Windows, Novell, and Dr Dos wouldn't work
  together.  Files were lost, machines crashed, device drivers kept stomping
  one another.  The problems were fixed in bug patches from the 
  manufacturers.

  So maybe my experiences were atypical, but I just can't get excited about
  fearing a viral attack.  I am more likely to fear the commercial software
  I use.

* Some elements of the anti-viral community seem to act in a self-serving,
  high priesthood mode, gathering occasionally to congratulate and agree
  with one another.

  In fact, some seem to act like the NSA: answerable to no one but
  themselves, seeking to censor or otherwise restrict information they
  deem sensitive, preferring you trust them in various matters, etc.

  Now, I point no fingers, make no accusations, and in no way begrudge
  any of these people.  It's an honest living, and many people do benefit
  from their efforts.

  However, I am reminded of a favorite quote of mine:

  "The louder they spoke of their honor, the faster we counted the spoons."

  That is, the louder someone condemns viruses, the more hysteria they
  generate, the more vehement the accusations, the more I wonder how much
  $$$ this person stands to make.

* That's it.  Again, I say studying the KOH will benefit us.

Comments are welcome at klbarrus@owlnet.rice.edu.  However, I am a full time
student once again; classes being Monday so I will probably take a while to
respond.


-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLHVHJIOA7OpLWtYzAQFw2wP+KzVc4V4Qjk8Cy3pttEyamxvU1uqhc/ae
eAqetb5eGkoX8g5lnww8CpJg4ij0Cb/2WVBU4G8YgyuGIkTk4uR/flruogXQtpuP
Qp1CaJ6x6BA9Q9U8M86lAgEhFCH72S+JjQ4lmwNJzmN+o/4loqd860WzbByg8diL
MyntPVazLnc=
=2V0I
-----END PGP SIGNATURE-----





Thread