Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!lll-winken!sun-barr!newstop!texsun!letni!lawnet!zardoz!news From: news@cpd.com (usenet news administrator) Newsgroups: comp.unix.wizards Subject: Re: sendmail/ftpd security-holes raise their ugly heads again... Message-ID: <1989Oct22.190407.13515@cpd.com> Date: 22 Oct 89 19:04:07 GMT References: <21@minya.UUCP> <12661@orstcs.CS.ORST.EDU> <32@minya.UUCP> Reply-To: neil@uninet.UUCP (Neil Gorsuch) Organization: Custom Product Design, Inc., Santa Ana, CA, USA Lines: 71 In article <32@minya.UUCP> jc@minya.UUCP (John Chambers) writes: >Security mailing list? What security mailing list? I keep hearing rumors >about such a thing, but when I inquire, I'm told that they won't even tell >how to contact it, because I might be a malicious hacker intent on taking >advantage of such vital knowledge. I suspect that this is a cover for the >fact that there isn't a real security mailing list. Perhaps you should gain some experiance in using netnews before throwing ridiculous accusations around. I run the security list, as you can easily find out by reading news.lists, where Gene Spafford posts a list of publicly accessable mailing lists every month or so. Also, it seems that you haven't been reading this group very religously, since I end up posting a response about the security list here every 3 or 4 months. In fact, looking at the log of postings here, the latest response went out October 9. Who wouldn't tell you how to contact me? If it's your system administrator that feels you would be dangerous to include on the list, then I certainly won't allow you to join. >I was in fact reinforced in this belief a couple of years back, when I did >get on a security mailing list for a while. What a letdown. I didn't read >a single article that told me something I didn't already know. At least >half of the postings were concerning problems with setuid, from people who >clearly didn't understand the difference between setuid and setuid-root. There was a previous security list run by Andrew Burt on the system isis in Colorado, which became defunct a few years ago. I started the security list back up again about a year ago. I believe it has material of worth, but it is intended more as a system administrators security information source, than as a security theory discussion forum. This news group and misc.security seem to have some good discussions, but I wouldn't know, since I don't have the time to read netnews very often these days. I won't waste everyone's bandwidth putting out the entire security list blurb, but here are a few pertinant lines from it: The unix security mailing list exists for these reasons: 1. To notify system administrators and other appropriate people of serious security dangers BEFORE they become common knowledge. 2. Provide security enhancement information. Most unix security mailing list material has been explanations of, and fixes for, specific security "holes". >Is there a real security mailing list, that won't waste my time with such >silliness, and will actually teach me something? Can I get on it? Even >if I no longer have a job that requires a security clearance? You might be able to get on it, assuming 2 things happen: 1. A system administrator of a reasonably sized educational system or of a well-known commercial organization requests it, or you convince me that you have a good "need to know". This list is not for the "just curious". 2. I clear out the backlog of 637 security-request letters So send a request to security-request here and I'll get to it sometime this decade 8-). Actually, the new product development that has been occupying a ridiculous amount of my time will be done in a few weeks, and I'll be able to spend a bit more time than the perfunctory couple of hours a week that I have been spending on the security list. So please be patient, all you people whose mail has been stuck in my security mailbox. Neil Gorsuch INTERNET: neil@cpd.com president UUCP: uunet!zardoz!neil Uninet MAIL: 1209 E. Warner, Santa Ana, CA, USA, 92705 peripherals division of PHONE: +1 714 546 1100 Custom Product Design, Inc. FAX: +1 714 546 3726 AKA: root, security-request, uuasc-request, postmaster, usenet, news