From: Chris McDonald (3/31/93) To: securitylist:;@WSMR-SIMTEL20.AR, CC: reviewslist:;@WSMR-SIMTEL20.ARM, Mail*Link¨ SMTP Information Systems Securit # 93-12 1. The March/April 1993 edition of "Infosecurity News" has a column by William H. Murray, an executive consultant to Deloitte & Touche, in which he commits to print Bob Courtney's Laws. The "Laws" have been a frequent source of Internet discussion, and have engendered a decade of debate over the Orange Book in particular. Bob Courtney was an associate of Mr. Murray while both were employees of IBM. For those who may have missed the article, and for those who may have submitted comments to the Draft Federal Criteria, here are the Laws. First Law: You cannot say anything interesting about the security of a system except in the context of a particular application and environment. Second Law: Never spend more money eliminating a security exposure than tolerating it will cost you. Third Law: There are no technical solutions to management problems, but there are management solutions to technical problems. 2. "PC Magazine", April 13, 1993, has an initial overview of DOS 6, to include those portions of CPAV (reference Product Test 36), which have been included. For those who have other site licensed anti-viral tools, you might be interested in the "default" installation configuration documented by the magazine's test staff. The edition also has an evaluation of surge protectors with some surprisingly bad results for several products. 3. Datawatch Corporation has announced an excellent promotion of many of their Macintosh programs. A so-called "SuperSet" will allow one to buy Citadel, Virex, the 911 Utilities, and two other programs for $55.00 ( reference Product Tests PT-10 and PT-46). I have no financial interest in the firm, and will receive nothing for posting this item. The telephone number is (919) 490-1277. 4. NIST will sponsor a User's Forum on Application Portability Profile and Open System Environment (OSE) on May 25-26, 1993. One workshop on the 26th will discuss Security in Open Systems. The NIST POC for registration information is Diane Harrison, (301) 975-2776. The location of the forum will be Gaithersburg, MD. 5. The Spring 1993 edition of "2600 The Hacker Quarterly" is available. I will post a separate synopsis of the edition. 6. Although mentioned in an earlier update, Peter Goldis has an excellent article "MVS Integrity: The Intruder's Point of View" in the current "Information Systems Security" published by Auerbach Publications. 7. NCSC has distributed two more documents in its Rainbow series: (a) NCSC-TC-010, subject: A Guide to Understanding Security Modeling in Trusted Systems; and (b) NCSC-TG-024, volume 1 of 4, subject: A Guide to Procurement of Trusted Systems. These are rather "heavy" documents for the more seriously inclined practitioner. 8. I have begun an evaluation of Rosenthal Engineering's Virus Simulator and MtE Simulator. If anyone on the mail list has some experience with the programs, would you please let me know so that we may compare notes. ------- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;31 Mar 1993 20:48:31 -0800 Return-path: CMCDONALD@WSMR-SIMTEL20.ARMY.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GWGZ6RYTQ89PLVUW@icdc.llnl.gov>; Wed, 31 Mar 1993 20:37:54 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GWGZ69VHMO9PLVWL@icdc.llnl.gov>; Wed, 31 Mar 1993 20:37:32 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA01123; Wed, 31 Mar 93 20:38:11 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA01116; Wed, 31 Mar 93 20:38:05 PST Date: 31 Mar 1993 21:27:19 -0700 (MST) From: Chris McDonald Subject: Information Systems Security Update, #93-12 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: securitylist:;@WSMR-SIMTEL20.ARMY.MIL Cc: reviewslist:;@WSMR-SIMTEL20.ARMY.MIL Resent-message-id: <01GWGZ6S2KRM9PLVUW@icdc.llnl.gov> Message-id: <12865551895.19.CMCDONALD@WSMR-SIMTEL20.ARMY.MIL> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"securitylist:;@WSMR-SIMTEL20.ARMY.MIL" X-VMS-Cc: IN%"reviewslist:;@WSMR-SIMTEL20.ARMY.MIL" Content-transfer-encoding: 7BIT ======================================================================