-
Sub:     Information Systems Security Update, # 96-13
-
# 96-13


     SPAM without Monty Python 
     The Bug Archive
     NSA Code Review
     Has Microsoft no shame?
     Lent in the Christmas Season


1.  An excellent site for defensive strategies against spam attacks
is www.vix.com/spam/.  The site also has a list of "responsible
sites" as well as a list of "rogue sites".  The last update
appeared to be Oct 96.  

2.  BugTraq archives to 1993 are available at www.geek-
girl.com/bugtraq/.  The BugTraq administrator, Aleph One,
referenced the site and its maintainer, Jennifer Myers, in a recent
posting.

3.  The November 1996 edition of the IEEE "Computer" has an article
entitled "Measuring Software" by Thomas Drake, a Booz Allen &
Hamilton, Inc., management and technology consultant on assignment
to the National Security Agency.  In an attempt to address the
problem of software quality, NSA has established a Software
Engineering Applied Technology Center (SEATC) with the goal "to
reduce maintenance costs while improving software development." 
Mr. Drake discusses the SEATC effort in the analysis of "25 million
lines of C, C++, Fortran, and Ada code."  According to Mr. Drake,
an "internal NSA study shows that an average software project
generates only seven to eight lines of delivered code per person
per day, at a cost of approximately $70 per line (assuming a
$140,000 annual loaded cost for each software developer)." 

4.  The November 1996 edition of "Virus Bulletin" contains an
article by Andrew Krukov, "In the Beginning was the Word . . .",
which proposes that the circle of virus writing is not at an end
with the demise of MS-DOS.  Interestingly in the same edition are
two confirmations of Microsoft continuing to distribute both the
Word Concept and Wazzu viruses either from its WWW site or on CD-
ROM.  

5.  If you believe that the holiday season is a time for penance,
you might want to pick up a copy of the proceedings of the 19th
National Information Systems Security Conference in two Volumes.  
I have struggled through the first 25 papers in Volume 1 with only
two bright spot for my Greek-Irish common sense:  "Marketing &
Implementing Computer Security" by Mark Wilson, National Institute
of Standards and Technology; and "Industrial Espionage Today and
Information Wars of Tomorrow" by Paul M. Joyal, President, INTEGER
Security Inc.  On the assumption that the "best" papers are yet to
come I continue my read, but not without some concerns.  In Mr.
Joyal's paper, for example, he attributes two entire paragraphs to
a classified CIA report entitled "Japan:  Foreign Intelligence and
Security Services".  There is no indication that Mr. Joyal has
excised "unclassified material" from this classified report,
although this would be the guess.  Unfortunately the conference
referees did not request he clarify this point.  So someone with a
perverse sense of humor might attribute the publication of
classified information in the public domain to a combined NIST/NCSC
document.
      
 
[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author (mcdonalc@wsmr.army.mil), not his
employer.  Recipients are free to quote all/parts of the ISSU with
credit/blame to the author.]