RE: Right-wing computer virus

[Nick FitzGerald <nick () virus-l demon co uk>]

"Jason Bethune" <jbethune () town kentville ns ca> wrote:

> As a newbie....to the list....I am just curious...do viruses not propose a
> security risk? I am not taking sides just asking a question so I can get
> proper information.

Viruses, Trojans, and most other forms of what is nowadays more loosely 
known as "malware" primarily pose an integrity risk, and availability, 
access and integrity are generally the three foundation stones of 
"computer security".

Arguably, in a modestly well-designed computer system, integrity 
concerns reduce to "the HR problem" (i.e. how do you select, as 
employees, sufficiently honest and reliable folk).  Unfortunately, most 
computer systems in operation today (and virtually all such "on the 
Internet") assume (quite incorrectly) that, at most, suitably defining 
discretionary access controls also resolves the integrity problem.  In 
fact, these issues are orthogonal, or at least nowhere near as close to 
parallel as that practice suggests.  As most systems are implemented 
with very little (in fact, usually _no_) system-administrative control 
over the code that runs on them, the integrity "problem" is, in fact, 
entirely ignored.  (Further, the general ignorance of this and push 
toward the "convenience" of allowing the _user_ to decide what "new" 
code can or should be run drives a lot of ongoing code integrity 
management problems, including the problems posed by viruses and 
related malware...)

So, the short answer to your question is "Yes, viruses are a security 
issue".  The longer, and much more accurate, answer is that "as modern 
computer security practice and training tends to ignore the actual 
basis of and type of threat posed by viruses, viruses are not really 
addressed as a 'security problem' although they will usually be 
labelled as such".  (Or, "avoid the marketing hype".)

This may not seem like it helps much -- if not, try to make sense of 
Fred Cohen's early work as I am only repeating part of what he first 
said close to twenty years ago.  If you do get a handle on Cohen's work 
you will understand what I am saying and be conceptually ahead of 95%+ 
of the "experts" out there (who will continue to not understand this).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html