D.1 Mailing Lists | Practical Unix & Internet Security, 3rd Edition

There are many mailing lists that cover security- related material. We describe a few of the major ones here. However, this is not to imply that only these lists are worthy of mention! There may well be other lists of which we are unaware, and many of the lesser-known lists often have a higher volume of good information.

Never place blind faith in anything you read in a mailing list, especially if the list is unmoderated . There are a number of self-styled experts on the Net who will not hesitate to volunteer their views, whether knowledgeable or not. Usually, their advice is benign , but sometimes it is quite dangerous. There may also be people who are providing bad advice on purpose, as a form of vandalism. And certainly , there are times when the real experts make a mistake or two in what they recommend in an offhand note posted to the Net.

There are some real experts on these lists who are (happily) willing to share their knowledge with the community, and their contributions make the Internet a better place. However, keep in mind that simply because you read it on the Internet does not mean that the information is correct for your system or environment, that it has been carefully thought out, that it matches your site policy, and it most certainly does not mean that it will help your security. Always evaluate carefully the information you receive before acting on it.

D.1.1 Response Teams and Vendors

Many of the incident response teams (listed in Appendix E) have mailing lists for their advisories and alerts. If you can be classified as one of their constituents, you should contact the appropriate team(s) to be placed on their mailing lists.

Many vendors also have mailing lists for updates and advisories concerning their products. These include computer vendors, firewall vendors, and vendors of security software (including some freeware and shareware products). You may wish to contact your vendors to see if they have such lists, and if so, join.

D.1.2 A Big Problem with Mailing Lists

The problem with all these lists is that you can easily overwhelm yourself. If you are on lists from two response teams, four vendors, and on another half dozen general-purpose lists, you may find yourself filtering several hundred messages a day whenever a new general vulnerability is discovered . At the same time, you don't want to unsubscribe from these lists because you might then miss the timely announcement of a special-case fix for your own systems.

One method that we have seen others use with some success is to split the mailing lists up among a group of administrators. Each person gets one or two lists to monitor, with particularly useful messages then redistributed to the entire group . Be certain to arrange coverage of these lists if someone leaves or goes on vacation, however!

Another approach is to feed these messages into Usenet newsgroups you create locally especially for this purpose. This strategy allows you to read the messages using an advanced newsreader that will allow you to kill message chains or trigger on keywords. It may also help provide an archiving mechanism to allow you to keep several days or weeks (or more) worth of messages.

Finally, most security mailing lists offer the option of subscribing to a daily digest of the list. Digest subscribers usually receive a single message each day that contains all of the day's messages. Managing these digests can be easier than sorting through each individual message as they arrive . Of course, you may learn about new vulnerabilities several hours later than other system administrators ”or attackers .

D.1.3 Major Mailing Lists

These are some of the major mailing lists.

D.1.3.1 Bugtraq

Bugtraq is a full-disclosure computer security mailing list run by SecurityFocus. This list features detailed discussions of Unix security holes: what they are, how to exploit them, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities (although that is known to be the intent of some of the subscribers). It is, instead, about defining ”that is, recognizing and preventing security holes and risks. To subscribe, sign up at:

http://www.securityfocus.com/

Note that we have seen some incredibly incorrect and downright bad advice posted to this list. Individuals who attempt to point out errors or corrections are often roundly flamed as being "anti-disclosure." Post to this list with caution if you are the timid sort .

SecurityFocus also runs several other mailing lists that cover areas of security (such as IDS, honeypots, or viruses) or specific flavors of Unix (such as Linux or Sun systems). A particularly interesting list is "incidents," which report actual attacks and break-ins. SecurityFocus is owned by the Symantec Corporation

D.1.3.2 CERT-advisory

New CERT/CC advisories of security flaws and fixes for Internet systems are posted to this list. This list makes somewhat boring reading; often the advisories are so watered down that you cannot easily figure out what is actually being described. Nevertheless, the list does have its bright spots. Send subscription requests to majordomo@cert.org. Put "subscribe cert-advisory" in the message body.

Archived past advisories are available at:

http://www.cert.org/nav/alerts.html.

D.1.3.3 Computer underground digest

A curious mixture of postings on privacy, security, law, and the computer underground fill this list. Despite the name , this list was not a digest of material by the "underground" ”it contained information about the computing milieux. Unfortunately, it stopped publishing in 2000, and it is unclear if the list will ever resume.

This list was available as the newsgroup comp.society.cu-digest on the Usenet; the newsgroup was the preferred means of distribution. The list is archived at numerous places around the Internet, including its home page:

http://sun.soci.niu.edu/~cudigest/

D.1.3.4 Firewalls

The Firewalls mailing list, which is hosted by the Internet Software Consortium, is a primary forum for folks on the Internet who want to discuss the design, construction, operation, maintenance, and philosophy of Internet firewall security systems. To subscribe, visit:

http://www.isc.org/services/public/lists/firewalls.html

The Firewalls mailing list is usually high-volume (sometimes more than 100 messages per day, although usually it is only several dozen per day). To accommodate subscribers who don't want their mailboxes flooded with lots of separate messages from Firewalls, a digested version of the list is also available, and the list is archived on the web site.

D.1.3.5 Firewall-Wizards

The Firewall-Wizards mailing list is a moderated list focused not only on the design and implementation of firewalls but also other network security topics. You can subscribe (or browse the archives) at:

http:// honor .icsalabs.com/mailman/listinfo/firewall-wizards

D.1.3.6 RISKS

RISKS is officially known as the ACM Forum on Risks to the Public in the Use of Computers and Related Systems. It's a moderated forum for discussing risks to society from computers and computerization. RISKS is also distributed as the comp.risks Usenet newsgroup, and this is the preferred method of subscription. If you don't get Usenet (and don't want to read it via http://groups.google.com), you can send email subscription requests to RISKS-Request@csl.sri.com with the word "subscribe" in the body.

Back issues are available through Google (as above) or from:

http://www.risks.org/.

D.1.3.7 SANS Security Alert Consensus

Security Alert Consensus is a weekly digest of alerts and announcements from several other security mailing lists and vendors. Subscriptions can be customized to include only those operating systems for which you are responsible. Subscribe at:

http://www.sans.org/.