The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #406 [Security Mailing List is already being restarted] (1 message, 3631 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/406.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: tower@bu-it.bu.edu (Leonard H. Tower Jr.)
To: phage
Date: Mon 17:38:02 07/11/1988 EST
Subject: Security Mailing List is already being restarted
References: [Thread Prev: 404] [Thread Next: 142] [Message Prev: 409] [Message Next: 128]

Neil:
	There's been discussion on the Internet about restarting the
security list.  Several messages appended.

Internetters:
	Neil is in the process of starting up the security list again.
His first (of several) posting to USENET newsgroup news.sysadmin is
appended at the end.

enjoy -len
----------------------------------------------------------------------
Return-Path: <verber@diplodocus.cis.ohio-state.edu>
Date: Fri, 4 Nov 88 10:10:39 EST
>From: verber@diplodocus.cis.ohio-state.edu (Mark A. Verber)
To: phage@purdue.edu, bfraik@next.com, bzs@multimax.encore.edu,
        hedrick@topaz.rutgers.edu, croft@csli.stanford.edu,
        alison@maverick.osc.edu
Subject: Security Mailing List
Reply-To: verber@tut.cis.ohio-state.edu

The security mailing list died about a year ago due primarily to
inactivity.  With the recent FTP problems, the virus attack, and the
general growth of the Internet I think it is about time for the list
to return.  I would suggest the following:

#1. Create Restricted Mailing List

With the old security mailing list the only requirement was an OK from
the root of the system (other than home computers).  I would like to
suggest that there would be a trusted group of people to start the
mailing list (mabye start with phage@purdue).  People would need
someone who was on the list already to vouch for them, an OK from the
person's home root, and that their name be circulated to the mailing
list to see if anyone objects.  I am suggesting these additional
requirements because I know of people (now in retrospect) that
shouldn't have been on the old list who would not qualify with these
additional requirements.  I would also suggest that there are no
aliases (i.e. postmaster@moby.foo.bar) but mail would be sent to
individuals only.

#2. Security Repository

The are a number of sites who don't have source, yet they want holes
fixes.  For some problems, it is easy enough to patch a binary with
adb, but for other problems that is not enough.  I would suggest a
ftp site on the Internet that would keep binaries to patched programs.
I would suggest Sun-3, Sun-4, and Vaxen binaries.  Possibly other
machines (i.e. Pyramid, Sequent, Encore, HP) if there seems to be enough
of an interest.

#3. Get Vendors Involved

There should be at least one rep. from each major UNIX box vendor who
would be responsible for get fixes into release software.  This
doesn't seem to be much of a priority with vendors right now.  I think
we should collectively scream bloody murder until the see a bit more
responsiveness from our friends.

#4. Hole List

I think it *might* be a good idea to develop a list of security holes
that should be checked.  This list should have a very limited
circulation.  This list should not live on the same machine as the
security mailing list of the archives.  It should be mailed from a
system other than it's home (otherwise that machine become a prime
spot for breaking).  On the other hand, having such a list might be
too risky.

Cheers,
Mark A. Verber
Ohio State Univ.
----------------------------------------------------------------------
Return-Path: <dle@june.csl.sri.com>
Date: Fri, 4 Nov 1988 12:15:03 PST
>From: David L. Edwards <dle@csl.sri.com>
To: verber@tut.cis.ohio-state.edu
Cc: phage@purdue.edu, bfraik@next.com, bzs@multimax.encore.edu,
        hedrick@topaz.rutgers.edu, croft@csli.stanford.edu,
        alison@maverick.osc.edu
Subject: Re: Security Mailing List
In-Reply-To: Your message of Fri, 4 Nov 88 10:10:39 EST

I agree with your suggestions to reintroduce a limited distribution
security mailing list.  I had made the offer to act as the mailing
list maintainer for the old list as it was dying and I will make that
offer again.

Due to my time constraints, I would not be able to act as a moderator.
I would handle mailing list requests and maintain the archives.  CSL
is willing to allocate sufficient machine resources and a little of my
time to support this activity.

I look forward to your comments.

David Edwards
Computer Science Laboratory
SRI International
----------------------------------------------------------------------
Return-Path: <encore!pinocchio!bzs@talcott.harvard.edu>
Date: Fri, 4 Nov 88 23:13:55 est
>From: encore!pinocchio!bzs@talcott.harvard.edu (Barry Shein)
To: verber@diplodocus.cis.ohio-state.edu, phage@purdue.edu, bfraik@next.com,
        bzs@multimax.encore.edu, hedrick@topaz.rutgers.edu,
        croft@csli.stanford.edu, alison@maverick.osc.edu
Subject: Security Mailing List

I just want to say that I think getting the security mailing list
re-started is a good idea, particularly in light of current events.

If there's anything we can do from here don't hesitate to ask, I've
always been in favor of some sort of network repository for (at least)
fixed binaries. I don't know that this violates any software
agreements but if you like I'll check from here. Of course, such a
repository would have to take extreme care to ensure what users get is
what is intended, that alone might require quite a bit of thought.

	-Barry Shein, ||Encore||
======================================================================
Path: bu-cs!bloom-beacon!tut.cis.ohio-state.edu!mailrus!cornell!rochester!ritcv!cci632!ccicpg!zardoz!root
>From: root@zardoz.UUCP (Operator)
Newsgroups: news.sysadmin
Subject: Re: Security Mailing List Still out there?
Date: 22 Oct 88 23:49:31 GMT
Date-Received: 23 Oct 88 10:56:59 GMT
Reply-To: root@zardoz.UUCP (Operator)
Organization: Custom Product Design Inc., Santa Ana, CA

>In article <5093@medusa.cs.purdue.edu>, spaf@cs.purdue.edu (Gene Spafford) writes:
>> If anyone is willing to host the mailing list at their site, please
>> send mail to Andrew Burt -- he'd love to hear from you.

I am willing to host the security mailing list.  I sent mail to Andrew Burt
at isis a little while back, but it must have been swallowed somewhere
along the way.  I am sending another message to "postmaster" at isis
to duplicate this posted article.  zardoz is fairly well connected (1 hop
from uunet), and I believe that it has the capacity to handle many mail
messages.  Assuming that Andrew Burt answers this article or the e-mail
I'm sending to isis's postmaster,  the mail list will be set up as follows:

1.  For now, it will be a mail reflector, to a list maintained by me
    consisting of root accounts on any machine of reasonable size.
2.  Non-root accounts will be added to the list when requested by a root
    account on the same machine that is already in the list.
3.  I will later set up a simple program that only allows accounts listed
    in the list to post TO the list.  I assume that this kind of thing has
    been done before, so feel free to send me this software, if you have it.
4.  The received submissions will not be edited, controlled, refused, or
    altered in any way, except for provision 3 above.
5.  Custom Product Design Inc. assumes no liabalilty for any information
    posted through the list, or for any subsequent damages caused by
    any posting on the list.
6.  Accounts will be removed from the list at my discretion when I feel that
    any poster is consistantly posting non-security related information or
    is using this list for personal attacks or "flames".
7.  Requests to be added to the list should be mailed to sec-request@cpd.com
8.  Postings to the list should be mailed to security@cpd.com
9.  cpd.com is zardoz.UUCP, reached by the path ...!uunet!ccicpg!zardoz

If the volume of mail becomes too large, I will continue to run the list
under the following additional conditions:

10. No new accounts will be added to the list unless there is a regional
    re-distribution site reasonably close to that site that is willing
    to accept another more accounts on their regional distribution list.
11. Re-distribution sites will be accepted in any area, as long as they
    only accept postings that go through this site (because of provision
    3 above).

Neil J. Gorsuch
root@cpd.com
uunet|{ccpcig,spsd}|zardoz!root
(714) 547-3000
Custom Product Design, Inc.
1430 S. VIllage Way, Unit Q
Santa Ana, CA  92705  USA
----------------------------------------------------------------------
enjoy -len

END OF DOCUMENT