Insane Reality issue #8 - (c)opyright 1996 Immortal Riot/Genesis - REALITY.017

Article: AV Interviews
Author: Dark Fiber and Co.

% Anti-Virus worker Interviews by Dark Fiber %
______________________________________________

Here are some quick interviews with 3 Anti-Virus workers, namely Fridrik
Skulason, Mark Ludwik, and Alan Solomon.

- _Sepultura_

   '>' is Dark Fiber
no '>' is person being intervewed.

=============================================================================

 % FRIDRIK SKULASON %
 ____________________

> Who are you exactly? Introduce yourself.

Who am I ?  Born in '63, married, one child, studied computer science and
psychology at the University of Iceland...most of my time is of course spent
on my work and my family - what spare time I have is spent on my hobbies:
genealogy and gardening....well, and watching Star Trek and playing
with the oldest role-playing group in Iceland.:-)

> How many years have you been part of the anti virus scene?

A little over 7 years.

> What first got you started in it? Did you start out writing
> a stoned remover at university like everyone else?

Not quite.  I started my software company in '86, and my first product
(a TSR spelling checker for Icelandic went out of the door in '87.  In late
'88 I released my second commercial program - a genealogy package, and started
looking around for something new to do.  I was working part time at the
university as a PC expert, and part time as a free-lance programmer.  In
January '89 I got a job at IBM Iceland patching terminal emulation programs.
They had this 3270 (I think) emulator program that ran on PCs and needed to
be able to communicate with the mainframes - unfortunately, the program
did not handle the Icelandic special characters properly.  Now, they did
not have the source, and they did not have any x86 experts, so I was hired.
Normally when I took free-lance jobs I worked at home, but in this particular
case I needed to work at the IBM building ...I needed access to the mainframe
for testing the program.  While I was there a virus struck elsewhere in the
building..wiping out a disk or two....it turned out that IBM Iceland had been
hit with the Cascade.1704.Format virus. As I was the only assembly language
guy around, I got a copy of it...disassembled it, thought "hey this looks
interesting", wrote a detector and a disinfector for it, and realized that
this might be turned into a sellable product.

I then started looking around for other viruses - John McAfee was very
helpful...sent me a practically complete collection of all the viruses known
at that time - I analysed them all, added them to my program, and that's
how F-PROT got started.

> IMO the virus scene has been in major decline and is still going,
> Have sales of your AV products increased or decreased?

The sales of the DOS version have stopped growing, but the other versions
(Win '95, NT, OS/2 and NLM) are probably on the increase.  The time of
"doubling every 6 months" are over, though.

> What other products does Datafellows produce? Do you feel
> the need to branch out into other software streams to keep
> the company going?

You have to ask them....Datafellows is not my company....We (Frisk Software)
only produce the three programs I mentioned (F-PROT, a spelling checker
and the genealogy program)

> How many viruses per month would you receive?

200-400 new ones....but as many as 10.000 samples, containing old viruses,
suspected viruses or just plain junk.

> Do you see this number increasing or decreasing over the
> coming months, to a year?

No idea....somebody could bring out 10.000 PS-MPC viruses over a (busy)
weekend, but on the other hand it seems to me that many wirus writers
are quite frankly getting bored, and looking for better or more productive
things to do....or perhaps they just get a "real job", a pregnant girlfriend
or something else that changes their outlook on life.

> With future trends pointing towards the interpreted text form
> of www\java, do you feel that the text type style of macro
> virus, compared to the traditional executable binary style
> of virus, will play a much bigger role?

Non-traditional viruses will increase in importance, of course, but I
don't like trying to predict the future....most people doing that usually
get it wrong.

> If you could change anything about the Anti-Virus industry, what
> would it be?

Fire certain unethical marketing people employed by some of my
competitors :-)

> Ditto for the virus industry (Assuming there cannot be one without the other
> and that both will always exist)

Actually, I would like to see both disappear...even though that would leave me
with a much smaller company, and reduce my income...but at least I would have
more spare time..

> Do you have any future plans computer wise beyond viruses?

Not really.

> Do you feel the window into anti virus programming is still open
> or has the ship left the dock already, its too steep a learning
> curve for beginners?

It is practically impossible to write a virus-specific program (like a
scanner) from scratch, but it is quite possible for a newcomer to write a
good generic program, an integrity checker, for example.

When I started, I could write the program and analyse viruses, working
part-time.  Today I have a group of people working on that.  Anybody starting
from scratch would need much better financial resources than were necessary
7 years ago....not impossible, but very, very difficult, as the industry
has matured quite a lot.

> If the anti virus people went by handles, what would you call
> yourself and why?

I have never seen any need/use for handles, but I guess I would pick
something like "Iceman".

-frisk

=============================================================================


=============================================================================

 % MARK LUDWIG %
 _______________

>First off, can you give me a brief description of who you are
>and what exactly do you do?

I am 37 years old, the father of 3 boys ages 6, 4 and 1, and we live
in the mountains in Arizona where there are lots of wild animals and
tourists in the summer. I am the president of American Eagle Publications,
Inc., a book publisher which publishes all kinds of books, ranging from
early american history to space exploration, and--yes--some of the books
I've written on computer viruses.

>Whats the extent of your education with regards to your work?
>ie: self tought and picked up the lingo as you went or the full blown
>uni degree bought by your parents, etc?

I went to MIT for undergraduate work and got through in two years, majoring
in physics and mathematics. Then I went to Caltech for a Masters in
theoretical particle physics. I got my PhD at the University of Arizona
working for a guy who developed nuclear weapons and had access to all of
the hottest supercomputers just as they came on line, and my dissertation
work was on numerically modeling quantized fields (which really required
being able to get on a Cray before the accounting was set up and hogging
down unbelievable amounts of computing power).

I got involved in the microcomputer revolution in the mid 70's when I was
at MIT, living with a bunch of e-e's. We'd build micros for recreation and
do all kinds of strange things with them. And most of my computer experience
was just hands-on kind of stuff. I've never taken a course on computers
or programming in my life.

My computer work proved more valuable that the university degree when I got
out into the real world, and I ended up working as a programmer/engineer
on a variety of projects, ranging anywhere from designing the control
circuitry for a tortilla making machine to writing the controller code
for the Gateway keyboards.

>Whats your major interest in viruses? the idea behind self replication?

My interest in viruses was spawned from a combination of scientific and
technical interests. Any low-level programmer is bound to be interested
in how these things work. We were already discussing them in the mid
seventies, so when they started showing up in the real world, my curiosity
was piqued.

Yet as a scientist, I found the idea of viruses even more fascinating. If
you will, here was a sort of second creation taking place before our eyes.
I mean, people have played around with the idea of artificial life for
a long time, but here in the past decade, we've witnessed some of these
artificial creations take off and go. They've gained an existence quite
apart from their creators, and sometimes quite contrary to their creators'
wishes. While the question of whether they are alive or not is rather
deep, they do have some of the characteristics of living organisms.

I find that rather fascinating. As a hard-core physical scientist, I've
always been somewhat skeptical about the claims of evolution to be able
to do what it supposedly has. Evolution should work for viruses just the
same way it works for living organisms because they replicate, they pass
"genetic code" from one generation to the next, and they face survival
challenges just like living organisms. If evolution is as powerful as
most scientists think, then the a-v are doomed. I'm not sure that's the
case, although it's not hard to write darwinian viruses that can really
cream most of the scanners out there today. Anyway, it's quite a fascinating
subject.

>What was your initial reaction to hearing that your Stealth.Boot.C is
>so widespread?

Ha ha. Divine justice!

Let me give you a little inside history on Stealth.Boot.C: When the Little
Black Book was first published in '91, the Stealth Boot virus infected
floppies by formatting an extra track on the floppy and putting itself
there. That worked real well on old XT's, but in the year or so following
its release, many of the AT class machines coming out changed the BIOS
to validate tracks, etc., so they could handle different diskette formats,
etc., better. Also, the virus didn't replicate unless a specific track
and sector was read on the floppy, which hardly happened every time you
accessed a floppy. As such, the original (Stealth.Boot.A) didn't infect
very agressively.

Well, the A-V community went bananas over the Little Black Book and they
were looking for any way they could to castigate me. The first attempt was
to say how horrible a thing this was. But that only got more people
interested
in the book, so they changed their tune and started saying that the book
was poorly written, the viruses were bad viruses, etc., as if you couldn't
learn anything from it. (See for example Robert Slade's latest virus book,
and his "review" of The Little Black Book.)

Of course, I never intended the Little Black Book to be a primer for a
PhD in virus technology. It was simply an introduction that would take
someone who had very little knowledge of assembler to the place where
they could understand how viruses worked. As such, it didn't delve into
all kinds of advanced topics, like polymorphism, etc., etc. I didn't
really intend to write a bunch of viruses that would be a scourge to the
world though.

That didn't cross my A-V critics minds though. They figured that if the
viruses didn't spread then they must be lousy, and therefore the book must
be lousy.

The hue and cry seemed to be that I should have written better viruses.
So for the third printing of The Little Black Book, I capitulated. I made
a few improvements to Stealth, which is now called Stealth.Boot.C. In
particular, I made it infect using the same method as Stoned, and I made
it hide itself in some clusters marked bad in the FAT. That quickly and
simply overcame its previous limitations. I also put a little note in the
back of the book thanking David Stang for the suggestions. He was one of
the more vocal critics of this type.

So anyhow, that is how Stealth.Boot.C came to be. It wasn't really my
intention for it to get let out, but now that it is out, what can I do?
Shall I not bless my creation: "Be fruitful and multiply."

>Did you think your initial research would get you to where you are today?
>Did you still expect to be in this field of study?

Where am I today, anyhow?

I have to say that the negative response to The Little Black Book was
unanticipated. I mean, I expected some negative response, but the ground
swell was a little surprising. I wrote it because I was curious about viruses
but I found no one who would help me learn about them. All the A-V would just
say you shouldn't have this stuff. So I started a BBS and collected some
viruses and learned how they worked. I figured there were others out there
with the same curiosity and so I wanted to share what I learned.

My biggest surprise was when these A-V idiots started scaring magazines
away from taking our ads, and how afraid corporate america really is of
this kind of stuff. At first it really infuriated me, but now I've learned
to take it in stride. There are plenty of hungry magazines out there to
take our ads one way or another.

Another surprise was the government's response. With all the negative
publicity I was half expecting the FBI to show up at my door any day.
Instead, I found that a lot of people in government and big corporations
had the sense to ignore the A-V balderdash and realize that they needed
this stuff.

However, what I really wanted to do was write the book Computer Viruses,
Artificial Life and Evolution. The Little Black Book paved the way for
that book, financially speaking. Its success gave me the time to do the
research and thinking needed for CVALE. The response to that book didn't
surprise me at all. There wasn't any. It just goes over the heads of
most A-V and computer security types. It's a book for people who can
think, and my critics are so practiced in their art of pseudo-moralisms
that they can't think. So they just didn't say anything.

Anyway, I've tried to stay in the virus scene, for better or worse. I
think the mentality of the A-V community is truly dangerous. It's
dangerous for people who think. It's dangerous for science. It's
dangerous for people who just don't want malevolent viruses in their
computers.

>Have you more books planned for the future?

Oh, I have all kinds of crazy ideas, some of which I might actually carry
through on. I just finished the Giant Black Book of Computer Viruses, which
should be able to bring people up to speed on the subject for another
five years or so, and I just finished a new CD with 11,000 viruses on it.
The electronic freeware version of The Little Black Book is out now, too.
So in that sense, I think we've got the basics covered pretty well.

I'm working right now on a book "Computer Virus Super Technology
1996" which will deal primarily with advanced 32-bit operating systems
and the internet. I'm thinking of a book on hacking which would include
stuff on viruses. The more mischevious side of me is thinking of a super
virus creation tool in the form of a multimedia CD game. You play the game
and gather treasures which are really parts of a virus that you are creating
while you play. When you get done, if you haven't been shot or eaten, out
pops the virus you created. I'd tune this thing to the reflexes of a 13-
year old, and then sit back and laugh at all of these A-V fogies sitting
around trying to generate viruses with it so they can detect them. Ha!

But I'm not really going to be that mean . . . I don't think. But then again,
computers can be really nasty to deal with. The more the world computerizes,
the less friendly it seems to become. When the telco can't seem to realize
you've moved and keeps sending you bills for the old address, when you can
never seem to get a billing dispute straightened out, etc., it does get a
little tiring. Maybe I'd be doing the human race a favor in the long run
if I put that game together and filled it with super darwinian viruses. .
. .

=============================================================================



=============================================================================

 % ALAN SOLOMON %
 ________________

>heya Alan,
>        Lots of interviews exist with virus writers, yet
>few exist with those on the av side of the fence, so I was
>wondering if I could throw some questions at you?  I'm going
>to try and get some from other AV people too, and they will
>be put in Insane Reality #8, that is, if you do answer, and
>agree to let me put them in it....  If you did agree to
>answer the questions and didn't mind them being put in IR#8,
>I don't plan on commenting anything you say, nor alter anything
>and so on.

OK; I'd like it if you could email me a couple of copies of your
newsletter.

>
>Who are you exactly? Introduce yourself.

Alan Solomon. Who am I exactly - hard to answer such a philosophical
question. I'm a father of two girls, I'm a person who loves to play with
computers, programming, internet, games (currently Command & Control),
I'm British and don't plan to move, I'm a mathematician, I drive a Mazda
MX5 (called the Miada in the US, the car that I hear most of the
programmers at Microsoft drive, but I heard that *after* I got mine).

>What did you get your doctorate in?

Econometrics. My first degree (BA) was in Mathematics (Cambridge give a
Batchelor of Arts no matter what subject you do). Then I got an MSc in
Management, then the PhD. Cambridge also give out MA's to anyone who gets
a BA, so I also collected one of those.

>
>How many years have you been part of the anti virus scene?

Since 1988.

>
>What first got you started in it? Did you start out writing
>a stoned remover at university like everyone else?

I was at university 30 years ago! No, a lady at a university came to me,
she had Brain virus and wanted help to get rid of it. So I helped her.
Then someone had Pingpong. Then someone sent me Stoned. Then Vienna, then
Cascade, then Jerusalem, and that infected a site with 1,000 computers,
and we spent a couple of weeks getting rid of it (there days, it would
be easier, but there were no tools then). The one of the guys in MIS worked
so hard, he collapsed and was taken away ill for a few days.

I realised that what people needed was the tools to deal with viruses. So,
I wrote Dr Solomon's Antivirus Toolkit. It was the first packaged AV in
the world, I think. We made 500 copies in the first run, and before we'd
advertised it, before it was ready, people heard about it somehow and
started trying to buy it from us. We sold a couple of dozen with
photocopied manuals. They'll have rarity value today!

The expression "anti-virus" is one that needs explanation. I'm not against
viruses, as such. If someone wants to write a virus, on their own
computer, that's up to them. Well, if someone wants to smash up their
own computer with a hammer, that's fine by me. It's damaging *other*
people's property that's wrong. What I'm against, is people spreading them
onto other people's computers. To me, an antivirus is something that
people use to get rid of something they don't want. And, even a virus like
Form or Concept, with a trivial payload, if people have to spend time and
trouble to get rid of it, that's a cost, so that's damage.

>Its believed that you 'head hunted' with Scotland Yard for
>Christopher Pile.  How big was your role in his prosecution?

None whatsoever, Zero. You're thinking of Jim Bates, he was the guy worked
with Scotland Yard; it was written up in Virus Bulletin. All I do is tell
people that he got 18 months, because it would be a shame for someone to
get put in prison for doing something they didn't realise was wrong.
Because ignorance of the law doesn't keep you out of prison. And most
countries have similar laws (I've got a section on my personal web site
with the laws of various countries, http://www.ibmpcug.co.uk/~drsolly/).

You should get the transcript of that case. I think it could have been
defended better, but I wasn't asked to appear for the defence, either.
You know, part of what S&S does, is work with various authorities (police,
VAT etc) on cases where a computer is important. This mostly means fraud,
of course, but I once did an interesting blackmail case.

>I know you've told me before, but could you sum up exactly
>why you played your part the way you did.

Why I played my part in what, in the Christopher Pile case? Because the
answer to that is as above, I had no part.

>Your still a programmer, with 50 odd people in the R&D department,
>so what part do you play in programming the toolkit at present?
>or do you just do the boring virus analysis?

My role is not in actually coding any more, I'm part of the design team,
pushing for new (faster, better) ways to find and repair infected files.
Although I still do bits of programming, but not for the Toolkit. I don't
think I'm very good at being a member of a large programming team. When I
used to write Findvirus, I did it single-handed, including the virus
disassemblies and database.

>How many viruses per month would you receive?

Maybe 100 or 200; it's irregular.

>Do you see this number increasing or decreasing over the
>coming months, to a year?

About the same, but who knows? It's not a natural phenomenon like rain.
I've noticed a lot of people getting out of the virus writing scene, so
maybe the number of viruses will decline.

>IMO the virus scene has been in major decline and is still going,
>Have sales of your AV products increased or decreased?

Increased. The decline you're seeing is in the number of people writing
new viruses. The increase I'm seeing is in the old viruses still
spreading. Form (5 years old) is probably still the commonest. Since all
AV products detect it, that means that most people are not running an AV.
It's those people, getting a virus and wanting to get rid of it, that
drives sales of AV products, not the number of new viruses. If there were
no new viruses from today on, that would be great. Less work to do!

>I know your company produces an Audit program or something (Gee
>great research on my part neh? :), do you feel the need to branch out
>into other programming streams in order to keep S&S going?

No, but Audit looked like a useful program, potentially profitable, and of
interest to the sort of people (big companies) whoi buy an AV. S&S can do
fine just selling Dr Solomon's Antivirus Toolkit.

>In some email to me you wrote of future things such as a Macro
>heuristic engine, now with future trends pointing towards the
>interpreted text form of www\java, do you feel that the text type
>style of macro virus, compared to the traditional executable binary
>style of virus, will play a much bigger role?

In my email to you, I suggested that a Macro heuristic engine might be an
interesting project to do, if you were looking for a project. I think
macro viruses are interesting, and Concept is already very widespread.

>If you could change anything about the Anti-Virus industry, what
>would it be?

It would be nice if products paid more attention to avoiding false alarms.
But until the users rise up and demand it, that won't happen.

>Ditto for the virus industry (Assuming there cannot be one without the other
>and that both will always exist)

Get virus writers to keep their creations to themselves, not spread them
around.

>
>Approximately how many hours of man-power would you say has gone into
>the development of the tool kits heuristic engine?

Several hundred. It isn't just a matter of writing an engine, you also
have to integrate it with the rest of the product, across several
platforms.

>
>Do you have any future plans computer wise beyond viruses?
>ie: Interactive Fiction with Graham? back to Fortran stuff?

I'm writing for magazines more. And exploring the internet.

>Do you feel the window into anti virus programming is still open
>or has the ship left the dock already, its too steep a learning
>curve for beginners?

I doubt if anyone can write a new scanner, including the companies already
selling them. It's too big a development job. All companies can do now, is
use the design they last did, and tweak it. I'm very lucky, I think I did
the design of Findvirus, in 1991, at *just* the last time it was possible
to re-design the engine, so I think our underlying design is better than
the others, for all sorts of reasons, most of which aren't obvious on the
outside.

>
>If the anti virus people went by handles, what would you call
>yourself?

drsolly. Hadn't you noticed? Sometimes I get called "the juggler", on
account of a thing I do at conferences sometimes.

>
>There has been a lot of noise about your White elephant and Mahout(?) lately,
>do you have a Froobious Bandersnatch you could ship down here ^_^

That's Frumious. Carroll explained it as a combination of fuming and
furious.

>Anything you wish to add or comment opon?

I'm happy for people to email me, but if I get a lot of emails, I might
not reply to them all.

          Dr Alan Solomon, Founder of S&S International
        Chief Designer of Dr Solomon's Anti Virus Toolkit
US tel (617) 273 7400              UK tel +44 1296 318700
Business: drsolomon@drsolomon.com  http://www.drsolomon.com
Personal: drsolly@ibmpcug.co.uk    http://www.ibmpcug.co.uk/~drsolly

=============================================================================