-
Sub:     Information Systems Security Update, # 97-04
-
# 97-04


    First Announcement for the Bozon Award
    COOP Research at Your WEB Fingertips
    Would You Buy a Firewall from this Man?
    Can You Still Laugh at an Internet Hoax?
    Who Needs the Orange Book if You have a Subscription to SA


1.  "Headcrash" by Bruce Bethke is a science fiction work on cyberspace.
Throughout the novel are so-called "infonuggets" which appear in windows
adjacent to the standard text.  Mr. Bethke introduces the term "bozon"
defined as a "quantum unit of stupidity".  I thought it might be appropriate
to have an annual Bozon Award for this informal mail group.  So please send
me your nominations for the award to be announced on August 17, the day I
entered Federal service.  Please confine your nominations to the field of
information systems security.

2.  The March 1997 edition of "Contingency Planning & Management" has an
article by Brian Mackay entitled "The Net's Catching On".  Mackay identifies
and briefly describes 50 WEB sites devoted to contingency, disaster recovery,
and emergency preparedness planning.  He also provides the http addresses
for several hundred vendors involved in some way with these matters.

3.  Marcus Ranum, well regarded for his technical expertise in the
development of several firewalls, is unusually forthcoming in critiquing
his industry.  I recently visited his current WEB site, and found a 1995
copyrighted paper which had escaped my attention.  It is remarkably candid
in its investigation of the pros and cons associated with testing
firewalls.  Check out "On the topic of Firewall Testing" at this mark:
http://www.v-one.com/pubs/testing/fwtest.htm

4.  Graham Cluley has authored an enjoyable paper on malicious program 
hoaxes on the Internet.  The current version, January 8, 1997, has the title
"It's the End of the World (as we know it)", and can be found at
http://www.drsolomon.com/special/

5.  The April 1997 edition of "Scientific American" has a plethora of
articles with information systems security implications.  First, there
is a profile of Dan Farmer, the author of COPS and the co-author of
SATAN.  A previous ISSU referred the reader to Dan's recent survey of
Internet hosts, http://www.trouble.org/survey/, in which he examined
over 2,000 systems.  If you pursue the link to "even more numbers" in
the survey, you will find a helpful breakdown of vulnerabilities within
nine categories.  I find it interesting to compare what Dan has done
against the "numbers" provided by the Defense Information Systems Agency.
While DISA's numbers are universally quoted, I have yet to see at my
pony express location any breakdown as to what vulnerabilities were
exploited.  Second, an article by Robert Matthews, "The Science of 
Murphy's Law", examines what many might consider a "trivial phenomenon"
with hardly a "trivial explanation".  This article enhanced my re-read
of Peter Neumann's "Computer Related Risks".  Third, Paul Wallich has
a "Cyber View" column on "Cracking the U.S. Code" in which he discusses
several recent events impacting on cryptography.  Four, Glenn Zorpette
has a review of David Kahn's new edition of his book the "CodeBreakers".


[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author (mcdonalc@wsmr.army.mil), not his
employer.  Recipients are free to quote all/parts of the ISSU with
credit/blame to the author.]