Security mailing list

[Neil Gorsuch]

In article <111 at pmdvax.UUCP> root at pmdvax.UUCP (The Superuser) writes:
>would someone associated with the unix security mailing list please
>refer me to whom I might subscribe to any lists addressing unix
>security, etc.?  Thankz.

I run the unix security mailing list.  I will probably regret posting
rather than emailing (there are already 437 letters waiting for my
attention in my security mailbox), but it's been a while since details
have been posted, so here goes:

UNIX SECURITY MAILING LIST

The unix security mailing list exists for these reasons:

1. To notify system administrators and other appropriate people of
   serious security dangers BEFORE they become common knowledge.
2. Provide security enhancement information.

Most unix security mailing list material has been explanations of, and
fixes for, specific security "holes".  I DO NOT believe in security
through obscurity, but I certainly don't spread "cracking" methods to
the world at large as soon as they become known.  The unix security
list is, in my opinion, an excellent compromise between the two ideas.
It is not intended for the discussion of theoretical security
techniques or "Should we thank Mr. Morris?" types of subjects, there
is no need for secrecy regarding such matters, and appropriate usenet
news groups already exist that serve those purposes.  It is, however,
appropriate to post security checkup programs and scripts, and
specific security enhancement methods to this list in addition to the
proper news groups.  I assume that since the members of the list made
a special effort to join, they might appreciate appropriate material
being sent via email so that they don't have to sort through many news
groups to "catch" everything.

zardoz is well connected, having 45 uucp links including uunet, and is
in the process of becoming part of the Internet.  Reliable delivery is
available to any bang path or internet address.  Each mailing list
destination can choose to receive either automatically "reflected"
postings of all received material, or moderated digests that are sent
out about once a week.  There is a seperate posting address for
emergencies that reflects the received material to the entire mailing
list without any intervention on my part.

The typical list member is a system administrator of a large
educational or commercial site, or a person that is involved with
security implementation for a large vendor.  However, I am flexible
and make exceptions to those guidelines.  To apply for membership,
send email from one of the following or send email requesting that I
contact one of the following (please arrange the former, it saves me
time):

1.	For uucp sites with a uucp map entry, the listed email contact,
	map entry writer, or root.
2.	For internet sites, the NIC "WHOIS" listed site contact, or root.

Please include the following:

1.	The uucp map entry and map name to find it in, or the WHOIS
	response from the NIC and the request handle.
2.	The actual email destination you want material sent to.  It
	can be a person or alias, but must be on the same machine
	that you use as a reference, or in a sub-domain of said machine.
3.	Whether you want immediate reflected postings, or the weekly
	moderated digests.
4.	The email address and voice phone number of the administrative
	contact if different from the above.
5.	The organization name, address, and voice phone number if not
	listed already.

Please don't do any of the following:

1.	send email from root on machine_17.basement.podunk_U.edu and
	expect that to be sufficient for membership.  With
	workstations being so prevalent, and being so EASY to "crack",
	root doesn't mean much these days.
2.	send email from root on the uucp map entry listed site
	toy-of-son and expect that to be sufficient.  If you would prefer
	material sent to a home machine, verify your credentials through
	one of the previously mentioned methods.
3.	send mail from a network that I don't have any way to verify,
	such as bitnet or others.  I can verify uucp and internet sites.
	Send me some way to verify your credentials if you can't use
	an appropriate listed uucp or internet site.
4.	send me mail saying I can verify your identity and credentials
	by telephoning a long distance number.  I will continue to donate
	the extra computer capacity required for sending and archiving
	this list, and I will continue to spend the money on the extra
	uucp/internet communication costs that this list requires, but I
	draw the line at spending money on voice long distance phone calls.
5.	send me an application request that involves a lot of time and
	special procedures for verification.  Please try to make my
	processing of your application an easy matter.

All email regarding this list should be sent to:

security-request at cpd.com (INTERNET sites)
uunet!zardoz!security-request (UUCP sites)

Please be patient, I answer all requests, but I receive hundreds of
letters a week.  If you don't receive an answer after a reasonable
amount of time (2 or 3 weeks), send another request, in case the
previous one was eaten by an email monster 8<).

Neil Gorsuch
(AKA security-request)