# 95-09 Contents Summer Scanner Results Show the Heat CPSR Points the Way Are Common Sense and Firewalls Compatible Will Key Escrow Ever Die 1. The July 1995 edition of "Virus Bulletin" contains its semiannual comparative analysis of MS-DOS anti-virus scanners. The standard test suites of in the wild, boot sector, standard and polymorphic viruses have been extensively updated. The viruses in each suite appear at the end of the analysis. There is a somewhat complicated description of the weighting system used in regards to polymorphic detection. Products which did well in the past continue to have respectable detection rates, but most declined in response to the polymorphic suite. AVP, which finally has a US distributor and which I recently acquired for my own personal use and evaluation, did quite well. CPAV, MSAV, NAV and SCAN appear to be losing ground. Norman Data Systems, which has the current DISA site license for DoD users, did not submit its product for evaluation. It was tested in the January 1995 edition with problems apparent in its polymorphic detection capabilities. 2. The Summer 1995 edition of "The CPSR Newletter" has some good Internet resource pointers for Freedom of Information Act (FOIA) matters. The Computer Professionals for Social Responsibility (CPSR) has been extremely active in filing FOIA requests unders its Electronic Privacy Information Center project to obtain the public release of government information concerning information security, privacy, and technology policy. The Summer edition provides a case summary of pending FOIA actions under this project. 3. The "Computer Security Journal", Volume XI, Number 1, Spring 1995 contains an interview with Marcus Ranum, Trusted Information Systems and private consultant, entitled "How NOT to Build a Firewall". The interview provides a baseline of common sense in addressing the matter of firewalls. There is also matrix on commercial firewall products with information apparently supplied by each vendor. The recently announced products by IBM and by SUN do not appear. 4. The same "Journal" edition has an article by Dr. Dorothy Denning "Key Escrow Encryption: The Third Paradigm". Dr. Denning has a more interesting paper at web.mit.edu/techreview/WWW/ articles/july95/Denning.html. In the latter she makes an interesting comment on how NSA had "some" involvement with the DES algorithm and on the potential problem which Phil Zimmerman's Pretty Good Privacy (PGP) presents. I have to note that major emergency response teams utilize PGP and that there are now commercial implementations available for MS-DOS, Macintosh and Unix platforms for those who have reservations about downloading PGP from MIT. Finally, there is a rather uninteresting "point/counterpoint" discussion in the "Journal" between Dr. Denning and Phil Zimmerman. [Disclaimer: Information Systems Security Updates represent the opinions and views of the author, not his employer. Recipients are free to quote all/parts of the ISSU with credit/blame to the author.]