93-26 Note: this is an OCR of a scan of a fax, so please excause the errors. 1. The December 3, 1993 edition of Risks-Forum had an announcement that the National Research Council, Computer Science and Telecommunications Board, will undertake a study of national policy with respect to the use and regulation of cryptography. You may remember that an earlier study, 'Computers at Risk had some specific recommendations on export controls of DES--recommendations which have yet to be adopted. lt would appear that yet another study looms on the horizon. The announcement referenced that the tasking was within the Defense Authorization:Bill for FY 1994. The members of the study group, still to be identified. will require SCI clearances. For this reason there will be some delay unless I imagine those selected already have the prerequisite clearance. The Risks-Forum item is available for anonymous itp. The specific citation is Volume 15, Issue 31. 2. The Fall 1993 edition of 'Computer Virus Developments Quarterly' wandered in" my mailbox this weekend. Major items of interest included a. Mark Ludwig announced the availability of his second of three volumes on computer viruses. A separate insert described the book In general terms and pointed out the discount savings for those who order now. The first book was 'The Little Black book of Computer- Viruses. b. Mr, Ludwig reinforced has previously stated position on trading viruses; 'If you have,viruses and want to trade one-on-one for others, send them in. No need to call. We'll try to fill your requests for specific viruses where possible. Our collection numberg over 5000virusea now, but don't be shy about sending possible duplicates, We're interested in major and minor varieties, etc., as our interest goes beyond the usual a v developer's desire to detect and disinfect.' c. Mr, Ludwig within a box entitled 'Wanted; Dead or- Alive!' complains about the 'increasingly overt software piracy and copyright infringement' of his products, He now offers a 'reward of 20% of all amounts collected in litigation, after attorney'g fees, if you can provide evidence which we can take to court.' d. The technical items in the Quarterly include a discussion on Windows- based viruses and a discussion with source code on the Dark Avenger/Eddie virus. 3. Professor Lance Hoffman is in good form with his article 'Who holds! the cryptographic keys? The government key escrow initiative of 1993" which appears in the November 1993 editiop Qf the IEEE 'Computex-'. The article sumarizes the debate of the last two years in as concise a fashion ae I have eeen, 4. The Autumn 1993 edition of the '2600 Hacker Quarterly' was in my opinion particularly non-interesting. I have chosen not to issue a separate synopsis on the edition. I note that the Editor chose not to comment on the guiliy plea of one of his main "technical experts' for computer crimes. There'is now a Usenet group to discuss 'issues brought up in the Magazine 2600'. 'The initial announcement read; 'This is a hacker's newsgroup, and please only serious hackers only. This is unmoderated, since this group is for hackers, it it was moderated lt would be pointless. Hacking techniques and tips to be freely distributed. Can it get any better that that? All backers are invited to contribute and participate,' 5. I have recently updated and distributed a significant number of product test reports on Macintosh anti-virus tools 6. Dan Farmer and Wietgo Venema recently distributed to several newagroupg a paper entitled 'Improving the Security of Your Site by Breaking into it'. While I am still wording my way through the paper, it appears to be a worthwhile document, If you missed it, I can gend you an electronic copy. The document is Just over 52,000 bytes. 7. I have my reservation confirmed for the Firewall tutorial at the Winter Usenix conference in San Franciso, January 1994, If you will be at the conference, introduce yourselfi