aburt@isis.UUCP (Andrew Burt) (05/14/89)
[Here is a copy of a message being sent out on said list. If you've been trying to join (and faced the black hole my mailer created), this should explain things.] Sigh. I have kept up hope that around every corner will be less work to do, and I would have more free time to spend with this list. Such has not been the case, and I can see that around the next few corners there will definitely be *more* work, so I feel I should give up the editorship of the list. Strange as it sounds, it's hard to find an hour a week to put everything together. Between teaching, research, consulting, writing, and non-work related things my life is just too full, and getting more so. I have really enjoyed working with the list, and wish I had more time (past, present, and future). So... are there any volunteers to take over the list? (Not that it really only takes an hour a week, but that's probably a good minimum.) This will be the last issue I send out. I will post a message in news.sysadmin when someone has come forth, so that the event will be widely distributed (unlike some issues of the list!). Perhaps the list should be pared down to a smaller size of "really important people" with the net and the other list taking over. At any rate, there's the archives to place somewhere, etc. I believe news.sysadmin is the most appropriate place to carry on this discussion, and I will post a copy of this message there as well. I'll take part in the discussion time permitting, but this should be considered my official farewell...
neil@zardoz.UUCP (Neil Gorsuch) (05/19/89)
In article <2533@isis.UUCP> aburt@isis.UUCP (Andrew Burt) writes: > ... >This will be the last issue I send out. I will post a message in >news.sysadmin when someone has come forth, so that the event will >be widely distributed (unlike some issues of the list!). Perhaps >the list should be pared down to a smaller size of "really important >people" with the net and the other list taking over. At any rate, >there's the archives to place somewhere, etc. > ... I am the administrator of the ongoing, well established unix security mailing list hosted on zardoz (cpd.com) that has been joined by over 400 sites in the last 6 months, and has sent out 21 digests so far this year. Some of the "sites" are expansions for larger areas, including one for an entire continent. I would have assumed that Andrew Burt would have sent the archives to me, but I haven't seen them yet. Perhaps a mail problem? I use the NIC database and uucp maps as a reference to help evaluate membership applications, and have access to a respected security expert for unusual cases. My primary goal is to provide a forum where system administrators and other appropriate people can be informed of serious security dangers BEFORE they become common knowledge. A secondary goal is to provide security enhancement information. Most zardoz mailing list material has been explanations of, and fixes for, specific security "holes". I DO NOT believe in security through obscurity, but I certainly don't spread "cracking" methods to the world at large as soon as they become known. The zardoz list is, in my opinion, an excellent compromise between the two ideas. It is not intended for the discussion of theoretical security techniques or "Should we thank Mr. Morris?" type subjects, there is no need for secrecy regarding such matters, and appropriate usenet news groups already exist that serve those purposes. It is, however, appropriate to post security checkup programs and scripts, and specific security enhancement methods to this list in addition to the proper news groups. I assume that the readers of this list took a special effort to join, and would appreciate appropriate material being sent via email so that they don't have to sort through many news groups to "catch" everything. zardoz is a Solbourne workstation with 43 uucp links, including uunet, and is in the process of becoming part of the Internet. Reliable delivery is available to any bang path or internet address. Each mailing list destination can choose to receive either automatically "reflected" postings of all received material, or moderated digests that are sent out about once a week. There is a seperate posting address for emergencies that reflects the received material to the entire mailing list without any intervention on my part. I typically require that destinations have an interest in unix site security, or are involved in adding security enhancement software to unix, but I am flexible. To apply for membership, send email from one of the following or send email requesting that I contact one of the following (please arrange the former, it saves me time): 1. For uucp sites with a uucp map entry, the listed email contact, map entry writer, or root. 2. For internet sites, the NIC "WHOIS" listed site contact, or root. Please include the following: 1. The uucp map entry and map name to find it in, or the WHOIS response from the NIC and the request handle. 2. The actual email destination you want material sent to. It can be a person or alias, but must be on the same machine that you use as a reference, or in a sub-domain of said machine. 3. Whether you want immediate reflected postings, or the weekly moderated digests. 4. The email address and voice phone number of the administrative contact if different from the above. 5. The organization name, address, and voice phone number if not listed already. Please don't do any of the following: 1. send email from root on machine_17.basement.podunk_U.edu and expect that to be sufficient for membership. With workstations being so prevalent, and being so EASY to "crack", root doesn't mean much these days. 2. send email from root on the uucp map entry listed site toy-of-son and expect that to be sufficient. If you would prefer material sent to a home machine, verify your credentials through one of the previously mentioned methods. 3. send mail from a network that I don't have any way to verify, such as bitnet or others. I can verify uucp and internet sites. Send me some way to verify your credentials if you can't use an appropriate listed uucp or internet site. 4. send me mail saying I can verify your identity and credentials by telephoning a long distance number. I will continue to donate the extra computer capacity required for sending and archiving this list, and I will continue to spend the money on the extra uucp/internet communication costs that this list requires, but I draw the line at spending money on voice long distance phone calls. 5. send me an application request that involves a lot of time and special procedures for verification. Please try to make my processing of your application an easy matter. If you have sent in an application before, but have not been answered, it was probably lost somewhere, so please try again. I do eventually answer all requests one way or the other, but the membership list requests are sometimes not looked at for a week or two. Like the time last week when a news configuration error caused my email mailbox to set a new personal record, 2925 entries :<}, or during the probable upcoming flood of new application requests. Thank you for your attention (not one on my shorter postings :<} ), but the hour grows late, and I must sign off. Neil Gorsuch ( AKA security-request@cpd.com or uunet!zardoz!security-request ) (714) 546-1100 President, Custom Product Design, Inc. ( AKA Uninet )