mcb@tis.llnl.gov (Michael C. Berch) (10/30/88)
[For those who haven't been following the discussion in news.sysadmin, the following is related to discussion of the allegedly "revived" security mailing list, and the larger issue of whether closed mailing lists or open forums are more appropriate for discussion of security matters.] Andrew Burt (aburt@isis.UUCP) writes that he is planning to revive the security mailing list that he once moderated, and plans to attempt to limit the membership and attempt to guarantee the "integrity" of the list by putting list applicants through some sort of rigorous questionnaire, limiting the membership to admins of "large sites", and so forth. It is my opinion that these tests will do nothing other than create the illusion of security -- the illusion that the list is closed and that only the members approved by the moderator are actually reading it. Unfortunately, I know too much about UUCP/Internet electronic mail to believe that. I also firmly oppose the concept of "security by obscurity" -- that computer security matters should only be discussed in hushed tones among the old-boy network of large site system administrators. Frankly, some of the most capable security consultants I know are small-system administrators who would perforce be excluded by the "rules" Mr. Burt proposes. Furthermore, the extremely bureaucratic process by which a site must petition to join the list is, in itself, daunting. Some time ago, we attempted to join the previous incarnation of the list; while I would certainly be eligible (as the admin of a government site -- indeed, at an organization that sponsors several computer security projects), we never did get added (all I ever got was a rather curt response that I was supposed to contact some other sysadmin at another site at LLNL, despite the fact that the site we were referred to was apparently incapable of redistribution, and despite the fact that LLNL maintains at least seven independent unclassified computer centers, and we are not co-located with any of the other six). I can only imagine what trying to join the new incarnation of the list will be like; perhaps I may as well start by faxing Mr. Burt my personnel records and a copy of my security clearance. (;-) The answer to all of this, I think, is to realize that trying to lock up a security mailing list is not the right thing to do. Actually, I think the opposite is appropriate -- an unrestricted, unmoderated security newsgroup. This will accomplish two main paints: 1) Assure the widest dissemination of information to system administrators, network managers, implementors and developers of software products and operating systems, etc., about threats and the measures that must be taken to eliminate them. 2) Remove the false sense of security and privacy attendant to a so-called "closed" mailing list, where neither the administrative procedures nor the method of dissemination of messages (open electronic mail) can assure security. Therefore, I propose for discussion "comp.security", unmoderated and unrestricted. (This is not a call for votes. DO NOT mail or post votes, they will be ignored.) Followups should be directed to news.groups. As a short-term solution, I propose the provisional creation of alt.security: this can be discussed in alt.config, and assuming a positive "sense of the altnet", the latter group can be created with less delay, and can be migrated to comp.security later, if admitted to the main Usenet hierarchy. Michael C. Berch mcb@tis.llnl.gov / uunet!tis.llnl.gov!mcb / ames!lll-tis!mcb
allen@sulaco.UUCP (Allen Gwinn) (10/31/88)
In article <1147@unisec.usi.com>, dpw@unisec.usi.com (Darryl P. Wagoner) writes: > In article <22460@tis.llnl.gov> mcb@tis.llnl.gov (Michael C. Berch) writes: [...about reviving his security mailing list...] > ~...limiting the membership to admins of "large sites", and > ~so forth. > Here, here! I have two small systems and do a lot of security work. > I hope to end up doing a B2 secure Unix. Yet, I would be denied > access to a mailing list that would make my job easier. I echo that sentiment! People that manage smaller sites are just as interested in security as are people who manage larger sites. To propose excluding them is ridiculous. > This method of dissemination of information about security has the > negative effect of keeping the small SA's in the dark about security > while only add a small amount of security to the large sites. We > all know that crackers will have most of the information already. > I say lets have a vote on it. I will even collect them. And post > the results. Let stop this method of getting security information > via an elite mailing list. Being extremely interested in security aspects of Unix, I think a newsgroup to discuss these issues in would be highly interesting. By exposing (and publicizing) security problems, you force manufacturers and OEM's to deal with the matter and not just sweep it under the rug. If the group idea doesn't go thru, I would be happy to create a security mailing list on this system to pass information back and forth. Is there any interest in this? -- Allen Gwinn ...sulaco!allen Disclaimer: The facts stated are my own. "Remember, facts are stupid things." - Brad Schoening (uiucdcs!schoenin)
scs@itivax.UUCP (Steve C. Simmons) (10/31/88)
A number of folks have been p*ssing and moaning about how restrictive the security mailing list is. Leave aside for the moment arguements whether or not the list membership should be closely controlled. It's not all *that* hard to get on -- or at least, it wasn't when aburt was being active. All you had to do was log in as root and send mail to aburt asking to get on. He then wrote to all the roots in the mail chain, asking if the next step in the chain was legit. As best I recall it took three hops to get him satisfied. Size of system had nothing to do with it. At the time I was (and will be) getting on a 3b1 that's only got me in the passwd file. On an unrelated topic: I spoke freely about security issues *affecting my own system* precisily because I trusted aburts vetting the list. If it were wide open, I'd've been much more circumspect. This is not to say that we shouldn't have an open discussion; we should. But the things I say in a trusted group would be far different from those I say in an open forum. Keep the security list as it is. But let's seriously talk about a comp.security, or maybe comp.unix.security. -- Steve Simmons ...!umix!itivax!scs Industrial Technology Institute, Ann Arbor, MI. "You can't get here from here."
rich@jolnet.ORPK.IL.US (Rich Andrews) (10/31/88)
If there is going to be a mailing list, put me on it. Security is always an issue here. If there is going to be a new group put in my yes vote. Rich Andrews -- Any opinions expressed are my own. Now, for a limited time, they can be yours too, for the incredible price of only $19.95. Simply send $19.95 (in Alterian dollars) to ...killer!jolnet!rich or rich@jolnet.orpk.il.us.
mabon@infmx.UUCP (Pam Mabon) (11/01/88)
In article <329@sulaco.UUCP> allen@sulaco.UUCP (Allen Gwinn) writes: lots of text deleted >Being extremely interested in security aspects of Unix, I think a >newsgroup to discuss these issues in would be highly interesting. >By exposing (and publicizing) security problems, you force manufacturers >and OEM's to deal with the matter and not just sweep it under the >rug. > >If the group idea doesn't go thru, I would be happy to create a >security mailing list on this system to pass information back and >forth. Is there any interest in this? > >-- I am extremely interested in this because one of the goals (there's a stronger word for this, but I can't remember it) for my department is to increase security both internally and externally. If we open ourselves up as a news feed then we're also opening a can of worms that would probably be better left alone. I would prefer a group because I know that whatever I might think of or run across has probably already been thought of by most of the system-crackers out there. Yes, there is interest, just let me know what I have to do to stay on the list for whatever action is finally taken. Thanks, pam "Today is the Tomorrow you feared Yesterday"
ron@motmpl.UUCP (Ron Widell) (11/02/88)
In article <329@sulaco.UUCP> allen@sulaco.UUCP (Allen Gwinn) writes: =In article <1147@unisec.usi.com> dpw@unisec.usi.com (Darryl P. Wagoner) writes: => In article <22460@tis.llnl.gov> mcb@tis.llnl.gov (Michael C. Berch) writes: =>> =>> [...about reviving his security mailing list...] =>> =>> ~...limiting the membership to admins of "large sites", and =>> ~so forth. = => Here, here! I have two small systems and do a lot of security work. => I hope to end up doing a B2 secure Unix. Yet, I would be denied => access to a mailing list that would make my job easier. = = [...Allen agrees and then asks...] = =If the group idea doesn't go thru, I would be happy to create a =security mailing list on this system to pass information back and =forth. Is there any interest in this? = A resounding *YES*. If a group does not get formed (and I hope it does), I, for one, would be very interested in a mailing list. =-- =Allen Gwinn ...sulaco!allen Disclaimer: The facts stated are my own. ="Remember, facts are stupid things." - Brad Schoening (uiucdcs!schoenin) -- Ron Widell, Field Applications Eng. |UUCP: motmpl!ron Motorola Semiconductor Products, Inc., |Voice:(612)941-6800 9600 W. 76th St., Suite G | If they *knew* what I was saying, Eden Prairie, Mn. 55344 -3718 | do you think they'd let me say it?
jwm@stdc.jhuapl.edu (Jim Meritt) (11/03/88)
I vote "yes" Reason: It isn't just the administrators who have to be concerned about security - it is the poor fools who put their stuff in the *^%$$^%#%% box and EXPECT (magic?) it to be secure. And make it "comp", "alt" doesn't get around as well, or as far... Disclaimer: My ideas, not APL's - at least, not by design..... NO Dukes!
stever@tree.UUCP (Steve Rudek) (11/04/88)
mark me (the sysop at this site) down for your "unix security" mailing list.
neil@zardoz.UUCP (Neil Gorsuch) (11/04/88)
In article <1061@motmpl.UUCP> ron@motmpl.UUCP (Ron Widell) writes: >In article <329@sulaco.UUCP> allen@sulaco.UUCP (Allen Gwinn) writes: >=In article <1147@unisec.usi.com> dpw@unisec.usi.com (Darryl P. Wagoner) writes: >=If the group idea doesn't go thru, I would be happy to create a >=security mailing list on this system to pass information back and >=forth. Is there any interest in this? >A resounding *YES*. If a group does not get formed (and I hope it does), >I, for one, would be very interested in a mailing list. There is a new security mailing list in place and working on zardoz that has over 60 members as of today. In case anyone missed the double security mailing list situation, here is a summary: 1. There was a security mailing list on isis that has been inactive for 12 months (so I have been told). 2. I started a new security mailing list on zardoz about 2 weeks ago. 3. Andrew Burt on isis announced his intention to re-start the list on isis a short time later. The main differences between the zardoz list as it exists and the reincarnated isis list as Andrew Burt has announced it are: 1. The zardoz list membership requirements are not as stringent. Any system administrator on site listed in the uucp maps or in the NIC database can join by sending me email from their root account, or can request that one or more mail names at their site be included. Other arrangements are available by special request, and I respond with additional information to any email that I am not completely satisfied with on an individual basis. Joining the isis list requires a special machine readable format message being emailed that must be correct or it will be ignored. 2. The isis list is much more secure, since verification of prospective members requires validation by other large sites. The zardoz list is much less secure, but I don't think that anything short of hiring private detectives to investigate prospective members will ensure real security anyway. I will trust the maps as my reference. If a site has a problem with users being able to fake mail from root, the site is probably full of security holes, and further hints for the crackers there (excuse me, users), won't do much further damage. 3. Small sites will probably have a hard time qualifying to be on the isis list. The zardoz list accepts system administrators of any listed site, and other sites will be included upon special arrangement. 4. Any mailing address on a site can be used by the zardoz list, including individual accounts or mail aliases. The isis list will only be mailed to "seclist" at each site. 5. The isis list will require re-registration of each site once a year. No re-registration requirements are needed for the zardoz list. 6. The zardoz list is already in place and operating. The isis list, to my knowledge, is still being set up again. To give Andrew Burt credit, I have been told that the isis mailing list previously had VERY delicate information in it, such as system source code patches, and very specific techniques for breaking in to systems. My intentions for the zardoz mailing list are that prevention techniques should be discussed in great detail, including simpler ones that most system administrators, being inexperienced, may not yet be familiar with. I have received mail from Andrew Burt outlining a proposal from him that the new isis list will be for sensitive material and the zardoz list will should be for non-sensitive material. I have tried to reach him by phone for the last 4 days, but he hasn't returned my calls, so I don't know exactly how he views the zardoz list. My views on the differences between the two new lists are somewhat similar, but I would classify the zardoz list as being a compromise between the new isis list and an open newsgroup. Material posted to the zardoz list will probably not be read by more than a few crackers, and the vast majority, and hopefully, all of it's readers, will be system administrators genuinely concerned with security. Anyone that is overly concerned about their postings being possibly read by a cracker, should probably join the isis list. Any system administrator that is more concerned with propogating and receiving information, than on the possibility of that that information being seen by a few (hopefully none) crackers, should join the zardoz list. To join the zardoz list, just send mail to: sec-request@cpd.com or !uunet!ccicpg!zardoz!sec-request from root or one of the email contact accounts listed in the maps for your site. Postings should go to security@cpd.com or !zardoz!security. Thanks for reading this through, neil@cpd.com !uunet!ccicpg!zardoz!neil (714) 547-3000 Custom Product Design, Inc. Santa Ana, California, USA
daveb@geaclib.UUCP (David Collier-Brown) (11/04/88)
From article <346@itivax.UUCP>, by scs@itivax.UUCP (Steve C. Simmons): > Keep the security list as it is. But let's seriously talk about a > comp.security, or maybe comp.unix.security. I'd also like to see a public discussion group for 1) known, solved problems 2) discussion of theory and standards. I suspect that there always will be a private sysadmin's security mailing list for each major system/os on the net... I've not seen much discussion of the "orange book" on the net, which I found strange... I saw less of it on the mailing list back when I was on it, which was by no means strange: the list tended to consider practical aspects. -- David Collier-Brown. | yunexus!lethe!dave Interleaf Canada Inc. | 1550 Enterprise Rd. | HE's so smart he's dumb. Mississauga, Ontario | --Joyce C-B
beb@mit-amt (Brian E Bradley) (11/07/88)
"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." - Lawrence Dalzell Your "vetting" will have to be excellent if you are to avoid "moles": I would suggest avoiding Cambridge University graduates from the '30s.
pcolby@robbie.prime.com (Peter Colby) (11/11/88)
In article <33589@zardoz.UUCP> neil@zardoz.UUCP (Neil Gorsuch) writes: > > [much explanation regarding the social & professional qualifications > needed for inclusion on either the "zardoz" or the "isis" security lists] > >To join the zardoz list, just send mail to: >sec-request@cpd.com or !uunet!ccicpg!zardoz!sec-request >from root or one of the email contact accounts listed in the maps for >your site. Postings should go to security@cpd.com or !zardoz!security. > Once again, some of us poor SA's are being discriminated against. I am the administrator for a small (10 to 30 machines depending upon responsibilities) LAN in a major computer company. I receive mail on our gateway to one of the major company networks (250+ machines) which in turn is connected to yet other company networks with an unknown (to me) number of machines. Thus, I would not be suprised if there were 500 machines networked together with several layers of LANs (and associated gateways). Suffice it to say that there are a limited number of published gateways to the outside world (3 published in the various d.* and u.* maps and the main company gateway/domain registered with SRL/NIC). Now it should be obvious that: #1) There is no way in h**l that all (or even close to most) of our systems can be published outside the company. #2) There is no way in h**l that the main gateway administrators can be responsible for even most of the smaller LANS in the tree - let alone take responsibility for security on the 500+ local machines. #3) There is every reason in the world that any local LAN or system administrator should be interested in the security of the system(s) they administrate. I certainly care about security, I would like at least the systems I administrate to be as secure as possible, my work and family responsibilities (I am not a full time system administrator - even in my professional life) preclude any kind of formal (or even extensive informal) study of security. The mentioned mailing lists would be my best source of the information I need to do the administration part of my job properly. BUT, by several levels, I do not even qualify for the zardoz list, let alone the isis list. (Yes, I will send my request to the mentioned address - from root on my gateway machine, but...) Aside from all else, I should comment that I feel strongly that secrecy (of information) will eventually lead to the destruction of all that makes life in this world truely worth living. If you don't know about it how can you even reason about its possible consequences or directions, let alone fight it or even steer it into more appropriate channels. SECRECY CAN ONLY BE USED FOR REPRESSION/OPPRESSION! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = UUCP: {sun,decvax,linus}!cvbnet!pcolby ||| "We has met the enemy and he is us." UUCP: pcolby@robbie.prime.com ||| Pogo CSNET: pcolby@robbie.prime.com |||
borynec@bnr-di.UUCP (James Borynec) (11/17/88)
In article <356@cvbnet2.UUCP>, pcolby@robbie.prime.com (Peter Colby) writes: > In article <33589@zardoz.UUCP> neil@zardoz.UUCP (Neil Gorsuch) writes: > > [much explanation regarding the social & professional qualifications > > needed for inclusion on either the "zardoz" or the "isis" security lists] > > > Once again, some of us poor SA's are being discriminated against. I am in the same boat as Peter. I (perhaps not suprisingly) also agree with Peter. We have to get security information out to ALL system administrators. This effectively requires a PUBLIC security list/group. It may be a bitter pill, but I see no other workable option. James Borynec utgpu!bnr-vpa!bnr-di!borynec ps. This whole argument reminds me of the 'criminals have guns' debate
neil@zardoz.UUCP (Neil Gorsuch) (11/19/88)
In article <143@bnr-di.UUCP> borynec@bnr-di.UUCP (James Borynec) writes: >In article <356@cvbnet2.UUCP>, pcolby@robbie.prime.com (Peter Colby) writes: >> In article <33589@zardoz.UUCP> neil@zardoz.UUCP (Neil Gorsuch) writes: >> > [much explanation regarding the social & professional qualifications >> > needed for inclusion on either the "zardoz" or the "isis" security lists] >> > >> Once again, some of us poor SA's are being discriminated against. > >I am in the same boat as Peter. I (perhaps not suprisingly) also agree >with Peter. We have to get security information out to ALL system >administrators. This effectively requires a PUBLIC security list/group. >It may be a bitter pill, but I see no other workable option. I have no absolute rules on membership. Many SA's of systems not listed in the maps have been added to the zardoz list. I am flexible and have even added a mailing destination that is used for an entire continent. For a situation such as prime.com, I would urge the domain entry site to set up their own list which I will send to. What I am trying to do is limit distribution to SA's, SA implemented mailing aliases (or lists), or user destinations that are not objectionable to their SA's. Judging by the flood of mail requests to join that are waiting to be processed by me, I would say that the idea of a moderately secure list is a popular one. As of today, there are 153 mailing destinations, with approximately 70 requests waiting in my mailbox. (I'm falling a little further behind :<) ). To clarify the membership guidelines: Any commercial or educational site listed in the uucp maps can be added by a mail request from root or one the email contacts or the map entry writer. Any commercial or educational site listed in the MX tables can be added by a mail request from root. Other sites require special arrangements. Send requests to security-request@zardoz.uucp or security-request@cpd.com A good uucp route is uunet!ccicpg!zardoz!security-request neil@cpd.com uunet!ccicpg!zardoz!neil (714) 547-3000
vjs@rhyolite.SGI.COM (Vernon Schryver) (11/20/88)
In article <38151@zardoz.UUCP>, neil@zardoz.UUCP (Neil Gorsuch) writes: > Any commercial or educational site listed in the uucp maps can be added > by a mail request from root or one the email contacts or the map entry writer. > Any commercial or educational site listed in the MX tables can be added > by a mail request from root. All of the talk about dirty, nasty, greedy, lazy vendors is kind of silly if you are going to keep this stuff secret. You "SA's" do occassionally install new releases, don't you? Do you sometimes install new systems, occassionally from a different vendor? Do you want the holes fixed, or are you simply accumulating your own bags of security holes, for your own use, whether to impress your clients and bosses or for worse? You need to tell every vendor from whom you might ever purchase a system, ideally including those not on the Internet or Usenet. (Yes, there are companies my current employer thinks are competators which are on neither. Of course, you are more than welcome to disagree about this.) The people who administrate the gateways usually have nothing to do with the people who build and fix the products. (It is a sign of a small or until recently small company when the MIS types have not been able to wrest control of the gateway from engineering.) If you tell Foo Inc about a bug, and it is a real bug, 100 to 1000 people will be privy to it. At most one will be an "SA", and three or four might know the root password of foo.com. (In bigger companies than I've worked for, that might be >>1000.) In sum, if you're not basically a 'bad-guy' yourself, you're going to end up letting many unwashed people in on the secret. The longer you delay, the longer it will take to get it fixed. Vernon Schryver Silicon Graphics vjs@sgi.com
trn@aplcomm.jhuapl.edu (Tony Nardo) (11/22/88)
In article <22274@sgi.SGI.COM> vjs@rhyolite.SGI.COM (Vernon Schryver) writes: >In article <38151@zardoz.UUCP>, neil@zardoz.UUCP (Neil Gorsuch) writes: >> Any commercial or educational site listed in the uucp maps can be added >> by a mail request from root or one the email contacts or the map entry writer. >> Any commercial or educational site listed in the MX tables can be added >> by a mail request from root. > >All of the talk about dirty, nasty, greedy, lazy vendors is kind of silly >if you are going to keep this stuff secret. Odd. I don't see talk about "dirty, nasty, greedy, lazy vendors" in the quoted paragraph. >You "SA's" do occassionally install new releases, don't you? Do you >sometimes install new systems, occassionally from a different vendor? Do >you want the holes fixed, or are you simply accumulating your own bags of >security holes, for your own use, whether to impress your clients and >bosses or for worse? No, we sometimes need to fix a problem as soon as it is discovered. We don't want to wait *years* waiting for a vendor to patch a problem, and only have the problem addressed when an Internet worm/virus/demon-from-hell hits. And no, we don't always install new releases. Have you ever had to reengineer a product because some vendor believed the term "upward compatability" was a quaint idea in theory, but useless in practice? I have -- not on UNIX, but another operating system. When you design a process control system that can't afford down time (because the end user was too cheap or too limited in budget to afford redundancy), you tend to freeze the end product -- including the computer vendor's software -- as soon as the system goes into continuous use. >You need to tell every vendor from whom you might ever purchase a system, >ideally including those not on the Internet or Usenet. (Yes, there are >companies my current employer thinks are competators which are on >neither. Of course, you are more than welcome to disagree about this.) I don't recall seeing any rules against vendors subscribing to either list. In fact, a sufficiently conscientious vendor would make the effort to join on its *own initiative*. Call it attentiveness to customer concerns. I will agree with you on one thing. If someone owns a system and doesn't report a known bug to the vendor, they have no right to scream about the vendor not fixing it. >The people who administrate the gateways usually have nothing to do with >the people who build and fix the products. (It is a sign of a small or >until recently small company when the MIS types have not been able to wrest >control of the gateway from engineering.) Corporate America *does* have its problems there... >If you tell Foo Inc about a >bug, and it is a real bug, 100 to 1000 people will be privy to it. In my experience working for "FUBAR" (I prefer the proper initial slang), if you told that company about a bug *ONLY THROUGH PROPER CHANNELS*, maybe six or seven people would hear about it. The problem would then be effectively buried until a sufficent number of customers (and potential customers) started talking about the bug amongst themselves. Worse, even when knowledge of a bug did reach the general engineering community in "FUBAR", management clones discouraged work on fixing the problem unless (a) some customer was footing the bill, (b) a chemical plant blew up (or something equally embarassing) and legal action was threatened, or (c) ex-customers started warning potential customers away. >At most one will be an "SA", and three or four might know the root password >of foo.com. (In bigger companies than I've worked for, that might be >>>1000.) All it takes is one person at "FUBAR" to distribute the knowledge gained from the networks/mailing lists. (Ever hear of an "outstanding problem" list?) Of course, some companies are too myopic to see the need to give someone adequate time to fill this role. >In sum, if you're not basically a 'bad-guy' yourself, you're going to >end up letting many unwashed people in on the secret. The longer you >delay, the longer it will take to get it fixed. A lot of "washed" people will be in on the secret, too. Reporting a problem to some vendors is like putting a note in a bottle and throwing it into the ocean. Exchanging problems with other SAs gives all of us a chance to work around them until proper solutions are provided. =============================================================================== ARPA: trn@aplcomm.jhuapl.edu (currently off line) UUCP: {backbone!}mimsy!aplcomm!warper!trn ===============================================================================