Xref: utzoo news.groups:6016 news.sysadmin:1130 Path: utzoo!utgpu!attcan!uunet!peregrine!zardoz!neil From: neil@zardoz.UUCP (Neil Gorsuch) Newsgroups: news.groups,news.sysadmin Subject: Re: Proposal for comp.security/alt.security Message-ID: <33589@zardoz.UUCP> Date: 3 Nov 88 19:57:02 GMT References: <2347@isis.UUCP> <22460@tis.llnl.gov> <1147@unisec.usi.com> <329@sulaco.UUCP> <1061@motmpl.UUCP> Reply-To: neil@zardoz.UUCP (Neil Gorsuch) Organization: Custom Product Design Inc., Santa Ana, CA Lines: 91 In article <1061@motmpl.UUCP> ron@motmpl.UUCP (Ron Widell) writes: >In article <329@sulaco.UUCP> allen@sulaco.UUCP (Allen Gwinn) writes: >=In article <1147@unisec.usi.com> dpw@unisec.usi.com (Darryl P. Wagoner) writes: >=If the group idea doesn't go thru, I would be happy to create a >=security mailing list on this system to pass information back and >=forth. Is there any interest in this? >A resounding *YES*. If a group does not get formed (and I hope it does), >I, for one, would be very interested in a mailing list. There is a new security mailing list in place and working on zardoz that has over 60 members as of today. In case anyone missed the double security mailing list situation, here is a summary: 1. There was a security mailing list on isis that has been inactive for 12 months (so I have been told). 2. I started a new security mailing list on zardoz about 2 weeks ago. 3. Andrew Burt on isis announced his intention to re-start the list on isis a short time later. The main differences between the zardoz list as it exists and the reincarnated isis list as Andrew Burt has announced it are: 1. The zardoz list membership requirements are not as stringent. Any system administrator on site listed in the uucp maps or in the NIC database can join by sending me email from their root account, or can request that one or more mail names at their site be included. Other arrangements are available by special request, and I respond with additional information to any email that I am not completely satisfied with on an individual basis. Joining the isis list requires a special machine readable format message being emailed that must be correct or it will be ignored. 2. The isis list is much more secure, since verification of prospective members requires validation by other large sites. The zardoz list is much less secure, but I don't think that anything short of hiring private detectives to investigate prospective members will ensure real security anyway. I will trust the maps as my reference. If a site has a problem with users being able to fake mail from root, the site is probably full of security holes, and further hints for the crackers there (excuse me, users), won't do much further damage. 3. Small sites will probably have a hard time qualifying to be on the isis list. The zardoz list accepts system administrators of any listed site, and other sites will be included upon special arrangement. 4. Any mailing address on a site can be used by the zardoz list, including individual accounts or mail aliases. The isis list will only be mailed to "seclist" at each site. 5. The isis list will require re-registration of each site once a year. No re-registration requirements are needed for the zardoz list. 6. The zardoz list is already in place and operating. The isis list, to my knowledge, is still being set up again. To give Andrew Burt credit, I have been told that the isis mailing list previously had VERY delicate information in it, such as system source code patches, and very specific techniques for breaking in to systems. My intentions for the zardoz mailing list are that prevention techniques should be discussed in great detail, including simpler ones that most system administrators, being inexperienced, may not yet be familiar with. I have received mail from Andrew Burt outlining a proposal from him that the new isis list will be for sensitive material and the zardoz list will should be for non-sensitive material. I have tried to reach him by phone for the last 4 days, but he hasn't returned my calls, so I don't know exactly how he views the zardoz list. My views on the differences between the two new lists are somewhat similar, but I would classify the zardoz list as being a compromise between the new isis list and an open newsgroup. Material posted to the zardoz list will probably not be read by more than a few crackers, and the vast majority, and hopefully, all of it's readers, will be system administrators genuinely concerned with security. Anyone that is overly concerned about their postings being possibly read by a cracker, should probably join the isis list. Any system administrator that is more concerned with propogating and receiving information, than on the possibility of that that information being seen by a few (hopefully none) crackers, should join the zardoz list. To join the zardoz list, just send mail to: sec-request@cpd.com or !uunet!ccicpg!zardoz!sec-request from root or one of the email contact accounts listed in the maps for your site. Postings should go to security@cpd.com or !zardoz!security. Thanks for reading this through, neil@cpd.com !uunet!ccicpg!zardoz!neil (714) 547-3000 Custom Product Design, Inc. Santa Ana, California, USA