sendmail/ftpd security-holes raise their ugly heads again...

usenet news administrator news at cpd.com
Mon Oct 23 05:04:07 AEST 1989 

In article <32 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:
>Security mailing list?  What security mailing list?  I keep hearing rumors
>about such a thing, but when I inquire, I'm told that they won't even tell
>how to contact it, because I might be a malicious hacker intent on taking
>advantage of such vital knowledge.  I suspect that this is a cover for the
>fact that there isn't a real security mailing list.

Perhaps you should gain some experiance in using netnews before
throwing ridiculous accusations around.  I run the security list, as
you can easily find out by reading news.lists, where Gene Spafford
posts a list of publicly accessable mailing lists every month or so.
Also, it seems that you haven't been reading this group very
religously, since I end up posting a response about the security list
here every 3 or 4 months.  In fact, looking at the log of postings
here, the latest response went out October 9.  Who wouldn't tell you
how to contact me?  If it's your system administrator that feels you
would be dangerous to include on the list, then I certainly won't
allow you to join.

>I was in fact reinforced in this belief a couple of years back, when I did
>get on a security mailing list for a while.  What a letdown.  I didn't read
>a single article that told me something I didn't already know.  At least
>half of the postings were concerning problems with setuid, from people who
>clearly didn't understand the difference between setuid and setuid-root.

There was a previous security list run by Andrew Burt on the system
isis in Colorado, which became defunct a few years ago.  I started the
security list back up again about a year ago.  I believe it has
material of worth, but it is intended more as a system administrators
security information source, than as a security theory discussion
forum.  This news group and misc.security seem to have some good
discussions, but I wouldn't know, since I don't have the time to read
netnews very often these days.  I won't waste everyone's bandwidth
putting out the entire security list blurb, but here are a few
pertinant lines from it:

The unix security mailing list exists for these reasons:

1. To notify system administrators and other appropriate people of
   serious security dangers BEFORE they become common knowledge.
2. Provide security enhancement information.

Most unix security mailing list material has been explanations of, and
fixes for, specific security "holes".

>Is there a real security mailing list, that won't waste my time with such
>silliness, and will actually teach me something?  Can I get on it?  Even
>if I no longer have a job that requires a security clearance?  

You might be able to get on it, assuming 2 things happen:
1.	A system administrator of a reasonably sized educational system or
	of a well-known commercial organization requests it, or you convince
	me that you have a good "need to know".  This list is not for the
	"just curious".
2.	I clear out the backlog of 637 security-request letters

So send a request to security-request here and I'll get to it sometime
this decade 8-).  Actually, the new product development that has been
occupying a ridiculous amount of my time will be done in a few weeks,
and I'll be able to spend a bit more time than the perfunctory couple
of hours a week that I have been spending on the security list.  So
please be patient, all you people whose mail has been stuck in my
security mailbox.

Neil Gorsuch                   INTERNET: neil at cpd.com
president                      UUCP: uunet!zardoz!neil
Uninet                         MAIL: 1209 E. Warner, Santa Ana, CA, USA, 92705
peripherals division of        PHONE: +1 714 546 1100
Custom Product Design, Inc.    FAX: +1 714 546 3726

AKA: root, security-request, uuasc-request, postmaster, usenet, news

More information about the Comp.unix.wizards mailing list