There is a certain irony in trying to include a comprehensive list of electronic resources in a printed book such as this one. Electronic resources such as Web pages, newsgroups, and mailing lists are updated on an hourly basis; new releases of computer programs can be published every few weeks.
Books, on the other hand, are infrequently updated. The first edition of Practical UNIX Security , for instance, was written between 1989 and 1990, and published in 1991. This revised edition was started in 1995 and not published until 1996. Interim reprintings incorporated corrections, but did not include new material.
Some of the programs listed in this appendix appear to be "dead," or, in the vernacular jargon of academia, "completed." For instance, consider the case of COPS , developed as a student project by Dan Farmer at Purdue University under the direction of Gene Spafford. The COPS program is still referenced by many first-rate texts on computer security. But as of early 1996, COPS hasn't been updated in more than four years and fails to install cleanly on many major versions of UNIX; Dan Farmer has long since left Gene's tutelage and gone on to fame, fortune, and other projects (such as the SATAN tool). COPS rests moribund on the COAST FTP server, apparently a dead project. Nevertheless, before this book is revised for a third time, there exists the chance that someone else will take up COPS and put a new face on it. And, we note that there is still some value in applying COPS - some of the flaws that it finds are still present in systems shipped by some vendors (assuming that you can get the program to compile).
We thus present the following electronic resources with the understanding that this list necessarily cannot be complete nor completely up to date. What we hope, instead, is that it is expansive. By reading it, we hope that you will gain insight into places to look for future developments in computer security. Along the way, you may find some information you can put to immediate use.
There are many mailing lists that cover security-related material. We describe a few of the major ones here. However, this is not to imply that only these lists are worthy of mention! There may well be other lists of which we are unaware, and many of the lesser-known lists often have a higher volume of good information.
NOTE: Never place blind faith in anything you read in a mailing list, especially if the list is unmoderated. There are a number of self-styled experts on the net who will not hesitate to volunteer their views, whether knowledgeable or not. Usually their advice is benign, but sometimes it is quite dangerous. There may also be people who are providing bad advice on purpose, as a form of vandalism. And certainly there are times where the real experts make a mistake or two in what they recommend in an offhand note posted to the net.
There are some real experts on these lists who are (happily) willing to share their knowledge with the community, and their contributions make the Internet a better place. However, keep in mind that simply because you read it on the network does not mean that the information is correct for your system or environment, does not mean that it has been carefully thought out, does not mean that it matches your site policy, and most certainly does not mean that it will help your security. Always evaluate carefully the information you receive before acting on it.
Many of the incident response teams (listed in Appendix F) have mailing lists for their advisories and alerts. If you can be classified as one of their constituents, you should contact the appropriate team(s) to be placed on their mailing lists.
Many vendors also have mailing lists for updates and advisories concerning their products. These include computer vendors, firewall vendors, and vendors of security software (including some freeware and shareware products). You may wish to contact your vendors to see if they have such lists, and if so, join.
The problem with all these lists is that you can easily overwhelm yourself. If you are on lists from two response teams, four vendors, and another half-dozen general-purpose lists, you may find yourself filtering several hundred messages a day whenever a new general vulnerability is discovered. At the same time, you don't want to unsubscribe from these lists, because you might then miss the timely announcement of a special-case fix for your own systems.
One method that we have seen others use with some success is to split the mailing lists up among a group of administrators. Each person gets one or two lists to monitor, with particularly useful messages then redistributed to the entire group. Be certain to arrange coverage of these lists if someone leaves or goes on vacation, however!
Another approach is to feed these messages into Usenet newsgroups you create locally especially for this purpose. This strategy allows you to read the messages using an advanced newsreader that will allow you to kill message chains or trigger on keywords. It may also help provide an archiving mechanism to allow you to keep several days or weeks (or more) of the messages.
These are some of the major mailing lists.
The Academic-Firewalls mailing list is for people interested in discussing firewalls in the academic environment. This mailing list is hosted at Texas A&M University. To subscribe, send "subscribe academic-firewalls" in the body of a message to [email protected] .
Academic-Firewalls is archived at:
This is a non-discussion mailing list for remailing items from other security-oriented mailing lists. It is intended for subscribers to forward the "best" of other mailing lists - avoiding the usual debate, argument, and disinformation present on many lists.
To subscribe to this particular mailing list, send "subscribe best-of-security" in the body of a message to [email protected].
Bugtraq is a full-disclosure computer security mailing list. This list features detailed discussion of UNIX security holes: what they are, how to exploit them, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities (although that is known to be the intent of some of the subscribers). It is, instead, about defining, recognizing, and preventing use of security holes and risks. To subscribe, send "subscribe bugtraq" in the body of a message to [email protected] .
Note that we have seen some incredibly incorrect and downright bad advice posted to this list. Individuals who attempt to point out errors or corrections are often roundly flamed as being "anti-disclosure." Post to this list with caution if you are the timid sort.
New CERT-CC advisories of security flaws and fixes for Internet systems are posted to this list. This list makes somewhat boring reading; often the advisories are so watered down that you cannot easily figure out what is actually being described. Nevertheless, the list does have its bright spots. Send subscription requests to [email protected] .
Archived past advisories are available from info.cert.or g via anonymous FTP from:
ftp://info.cert.org/
ftp://coast.cs.purdue.edu/pub/alert/CERT
The staff at the Department of Energy CIAC publish helpful technical notes on an infrequent basis. These are very often tutorial in nature. To subscribe to the list, send a message with "subscribe ciac-notes yourname" in the message body to [email protected] . Or, you may simply wish to browse the archive of old notes:
ftp://ciac.llnl.gov/pub/ciac/notes
ftp://coast.cs.purdue.edu/pub/alert/CIAC/notes
A curious mixture of postings on privacy, security, law, and the computer underground fill this list. Despite the name, this list is not a digest of material by the "underground" - it contains information about the computing milieux. To subscribe, send a mail message with the subject line "subscribe cu-digest" to [email protected] .
This list is also available as the newsgroup comp.society.cu-digest on the Usenet; the newsgroup is the preferred means of distribution. The list is archived at numerous places around the Internet, including:
The Firewalls mailing list, which is hosted by Great Circle Associates, is the primary forum for folks on the Internet who want to discuss the design, construction, operation, maintenance, and philosophy of Internet firewall security systems. To subscribe, send a message to [email protected] with "subscribe firewalls" in the body of the message.
The Firewalls mailing list is usually high volume (sometimes more than 100 messages per day, although usually it is only several dozen per day). To accommodate subscribers who don"t want their mailboxes flooded with lots of separate messages from Firewalls, there is also a Firewalls-Digest mailing list available. Subscribers to Firewalls-Digest receive daily (more frequent on busy days) digests of messages sent to Firewalls, rather than each message individually. Firewalls-Digest subscribers get all the same messages as Firewalls subscribers; that is, Firewalls-Digest is not moderated, just distributed in digest form.
The mailing list is archived:
ftp://ftp.greatcircle.com/pub/firewalls/
http://www.greatcircle.com/firewalls
The FWALL -users mailing list is for discussions of problems, solutions, etc. among users of the TIS Internet Firewall Toolkit ( FWTK ). To subscribe, send email to [email protected] .
RISKS is officially known as the ACM Forum on Risks to the Public in the Use of Computers and Related Systems. It's a moderated forum for discussion of risks to society from computers and computerization. Send email subscription requests to [email protected] .
Back issues are available from unix.sri.com via anonymous FTP :
RISKS is also distributed as the comp.risks Usenet newsgroup, and this is the preferred method of subscription.
The WWW -security mailing list discusses the security aspects of WWW servers and clients. To subscribe, send "subscribe www-security" in the body of a message to [email protected] .