mcb@tis.llnl.gov (Michael C. Berch) (10/30/88)
[For those who haven't been following the discussion in news.sysadmin, the following is related to discussion of the allegedly "revived" security mailing list, and the larger issue of whether closed mailing lists or open forums are more appropriate for discussion of security matters.] Andrew Burt (aburt@isis.UUCP) writes that he is planning to revive the security mailing list that he once moderated, and plans to attempt to limit the membership and attempt to guarantee the "integrity" of the list by putting list applicants through some sort of rigorous questionnaire, limiting the membership to admins of "large sites", and so forth. It is my opinion that these tests will do nothing other than create the illusion of security -- the illusion that the list is closed and that only the members approved by the moderator are actually reading it. Unfortunately, I know too much about UUCP/Internet electronic mail to believe that. I also firmly oppose the concept of "security by obscurity" -- that computer security matters should only be discussed in hushed tones among the old-boy network of large site system administrators. Frankly, some of the most capable security consultants I know are small-system administrators who would perforce be excluded by the "rules" Mr. Burt proposes. Furthermore, the extremely bureaucratic process by which a site must petition to join the list is, in itself, daunting. Some time ago, we attempted to join the previous incarnation of the list; while I would certainly be eligible (as the admin of a government site -- indeed, at an organization that sponsors several computer security projects), we never did get added (all I ever got was a rather curt response that I was supposed to contact some other sysadmin at another site at LLNL, despite the fact that the site we were referred to was apparently incapable of redistribution, and despite the fact that LLNL maintains at least seven independent unclassified computer centers, and we are not co-located with any of the other six). I can only imagine what trying to join the new incarnation of the list will be like; perhaps I may as well start by faxing Mr. Burt my personnel records and a copy of my security clearance. (;-) The answer to all of this, I think, is to realize that trying to lock up a security mailing list is not the right thing to do. Actually, I think the opposite is appropriate -- an unrestricted, unmoderated security newsgroup. This will accomplish two main paints: 1) Assure the widest dissemination of information to system administrators, network managers, implementors and developers of software products and operating systems, etc., about threats and the measures that must be taken to eliminate them. 2) Remove the false sense of security and privacy attendant to a so-called "closed" mailing list, where neither the administrative procedures nor the method of dissemination of messages (open electronic mail) can assure security. Therefore, I propose for discussion "comp.security", unmoderated and unrestricted. (This is not a call for votes. DO NOT mail or post votes, they will be ignored.) Followups should be directed to news.groups. As a short-term solution, I propose the provisional creation of alt.security: this can be discussed in alt.config, and assuming a positive "sense of the altnet", the latter group can be created with less delay, and can be migrated to comp.security later, if admitted to the main Usenet hierarchy. Michael C. Berch mcb@tis.llnl.gov / uunet!tis.llnl.gov!mcb / ames!lll-tis!mcb