jbn@glacier.STANFORD.EDU (John B. Nagle) (11/15/88)
I suggest that the security mailing list be posted to a newsgroup,
but with a 60-day delay. Sites and vendors serious about security will either
have fixed any problem by that time, or they probably aren't going to fix it
at all. This insures that a false sense of security is not engendered among
system administrators, yet allows a reasonable time for closing newly discovered
problems.
General knowledge of that 60-day timer will tend to accelerate efforts
by vendors to fix problems, I would suspect.
Why 60 days? A monthly update service would be enough to keep systems
operating with the latest security fixes. 30 days would require biweekly
updates to stay current, which is a bit frequent. Much longer than 60 days,
and the pressure would be off on fixing holes.
John Nagledhesi@bsu-cs.UUCP (Rahul Dhesi) (11/15/88)
In article <17841@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >I suggest that the security mailing list be posted to a newsgroup, >but with a 60-day delay. This is a good idea. In the case of the oft-quoted ftpd bug, the above procedure was roughly followed, and it worked. -- Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee}!bsu-cs!dhesi
moran@tron.UUCP (Harvey R Moran) (11/16/88)
In article <4752@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) writes: >In article <17841@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >>I suggest that the security mailing list be posted to a newsgroup, >>but with a 60-day delay. > >This is a good idea. In the case of the oft-quoted ftpd bug, the above >procedure was roughly followed, and it worked. >-- >Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee}!bsu-cs!dhesi I wonder how many more people out there believe that sites without access to the security mailing list (or possibly even USENET) should have their risks increased pretty significantly? How about us binary liscense sites? If you consider the UNIX community to include both binary liscense sites and sites with no access to USENET, the *most* such a newsgroup would accomplish is to make a larger group of privileged characters -- i.e. anyone with access to USENET. It would *not* get the information to all concerned SA's. Please don't take the 60 day suggestion. I wouldn't want to be forced to abandon UNIX and use VMS. Please note that I do not claim VMS is any more inherently secure than UNIX, just that DEC doesn't publish break-in methods around the world. It wouldn't take many successful break-in's to convince my management to abandon UNIX, or at least UNIX with *any* communication with the outside world. Harvey Moran moran@tron.UUCP@umbc3.UMD.EDU {wb3ffv,netsys}!hrmhpc!harvey
dave@lethe.UUCP (David Collier-Brown) (11/19/88)
>>In article <17841@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >>>I suggest that the security mailing list be posted to a newsgroup, >>>but with a 60-day delay. > From article <386@tron.UUCP>, by moran@tron.UUCP (Harvey R Moran):> > I wonder how many more people out there believe that sites without > access to the security mailing list (or possibly even USENET) should > have their risks increased pretty significantly? How about us binary > liscense sites? > Well, consider two points: 1) If you're not one the net, and preferably don't support async communications, your insecurity to communications-related attacks is not significantly affected. 2) Binary sites get patches too: my sun comes with patches printed on paper, for me to apply the hard way. The suggestion of a 60-day timeout is by no means a cure-all. It is a heuristic to improve the general case while minimizing impact upon other cases. --dave
root@pmdvax.UUCP (The Superuser) (10/09/89)
would someone associated with the unix security mailing list please
refer me to whom I might subscribe to any lists addressing unix
security, etc.? Thankz.
-scott
--
Scott G. Taylor Pmd Resources (818) 991-0068
{wlbr,mahendo}!snidely!staylor 31230 Cedar Valley Dr.
Westlake Village, CA 91361
"Vienoti Latvijai!"neil@zardoz.UUCP (Neil Gorsuch) (10/10/89)
In article <111@pmdvax.UUCP> root@pmdvax.UUCP (The Superuser) writes: >would someone associated with the unix security mailing list please >refer me to whom I might subscribe to any lists addressing unix >security, etc.? Thankz. I run the unix security mailing list. I will probably regret posting rather than emailing (there are already 437 letters waiting for my attention in my security mailbox), but it's been a while since details have been posted, so here goes: UNIX SECURITY MAILING LIST The unix security mailing list exists for these reasons: 1. To notify system administrators and other appropriate people of serious security dangers BEFORE they become common knowledge. 2. Provide security enhancement information. Most unix security mailing list material has been explanations of, and fixes for, specific security "holes". I DO NOT believe in security through obscurity, but I certainly don't spread "cracking" methods to the world at large as soon as they become known. The unix security list is, in my opinion, an excellent compromise between the two ideas. It is not intended for the discussion of theoretical security techniques or "Should we thank Mr. Morris?" types of subjects, there is no need for secrecy regarding such matters, and appropriate usenet news groups already exist that serve those purposes. It is, however, appropriate to post security checkup programs and scripts, and specific security enhancement methods to this list in addition to the proper news groups. I assume that since the members of the list made a special effort to join, they might appreciate appropriate material being sent via email so that they don't have to sort through many news groups to "catch" everything. zardoz is well connected, having 45 uucp links including uunet, and is in the process of becoming part of the Internet. Reliable delivery is available to any bang path or internet address. Each mailing list destination can choose to receive either automatically "reflected" postings of all received material, or moderated digests that are sent out about once a week. There is a seperate posting address for emergencies that reflects the received material to the entire mailing list without any intervention on my part. The typical list member is a system administrator of a large educational or commercial site, or a person that is involved with security implementation for a large vendor. However, I am flexible and make exceptions to those guidelines. To apply for membership, send email from one of the following or send email requesting that I contact one of the following (please arrange the former, it saves me time): 1. For uucp sites with a uucp map entry, the listed email contact, map entry writer, or root. 2. For internet sites, the NIC "WHOIS" listed site contact, or root. Please include the following: 1. The uucp map entry and map name to find it in, or the WHOIS response from the NIC and the request handle. 2. The actual email destination you want material sent to. It can be a person or alias, but must be on the same machine that you use as a reference, or in a sub-domain of said machine. 3. Whether you want immediate reflected postings, or the weekly moderated digests. 4. The email address and voice phone number of the administrative contact if different from the above. 5. The organization name, address, and voice phone number if not listed already. Please don't do any of the following: 1. send email from root on machine_17.basement.podunk_U.edu and expect that to be sufficient for membership. With workstations being so prevalent, and being so EASY to "crack", root doesn't mean much these days. 2. send email from root on the uucp map entry listed site toy-of-son and expect that to be sufficient. If you would prefer material sent to a home machine, verify your credentials through one of the previously mentioned methods. 3. send mail from a network that I don't have any way to verify, such as bitnet or others. I can verify uucp and internet sites. Send me some way to verify your credentials if you can't use an appropriate listed uucp or internet site. 4. send me mail saying I can verify your identity and credentials by telephoning a long distance number. I will continue to donate the extra computer capacity required for sending and archiving this list, and I will continue to spend the money on the extra uucp/internet communication costs that this list requires, but I draw the line at spending money on voice long distance phone calls. 5. send me an application request that involves a lot of time and special procedures for verification. Please try to make my processing of your application an easy matter. All email regarding this list should be sent to: security-request@cpd.com (INTERNET sites) uunet!zardoz!security-request (UUCP sites) Please be patient, I answer all requests, but I receive hundreds of letters a week. If you don't receive an answer after a reasonable amount of time (2 or 3 weeks), send another request, in case the previous one was eaten by an email monster 8<). Neil Gorsuch (AKA security-request)