The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #151 [Security Mailing List Reposity Offering] (1 message, 1138 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/151.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: verber@dinosaur.cis.ohio-state.edu (Mark A. Verber)
To: phage
Date: Tue 08:31:48 08/11/1988 EST
Subject: Security Mailing List Reposity Offering
References: [Thread Prev: 407] [Thread Next: 171] [Message Prev: 150] [Message Next: 153]

It is clear to me that mail from root is not a safe way to verify who
should be trusted.  Is it has been pointed out telneting to port 25 is
trival.  That is why I suggested the idea of people already on the
list vouching for new list members.

I agree that this kind of verification would bog the list down.  I
would like to suggest breaking the mailing list into two pieces.  The
first would be a 'secure list' and the second would be 'semi secure list.'

Requirements for the secure list would be an existing member vouching
for the person, and that person being responcible for fixing and
distributing fixes to holes.  We would want vendors, major
installations, and those people who are deeply involved in protecting
UNIX machines.  This mailing list would be used for discussion of
holes and how to patch them.  The semi-secure list could use the root
verification (note: it should require two iterations, root saying "add
me to your list", maintainers responding saying "Did you send a
message" and a responce from root).

The maintainer of the "secure" list should be on the Internet.
Someone on the list would take responcibility to forward warnings to
the other mailing list without giving specifics until the holes are
patched.  For example: when the ftpd bug was discovered the complete
gory details should be sent to the restricted group.  That group would
work on the fixes and put fixed binaries in some publically accessable
repository.  At the same time a warning should be posted to the normal
security mailing saying "disable anonymous ftp because there is a hole
in ftpd."


I know this sound elitist, but that's the way life works sometimes.  I
think our priority should be to get information to those people in a
position to fix problems while minimizing the chances that people can
exploit the holes.

--- Mark Verber
    Ohio State University

END OF DOCUMENT