D.1 Mailing Lists
There are many mailing lists
that cover security-related material. We describe a few of the major
ones here. However, this is not to imply that only these lists are
worthy of mention! There may well be other lists of which we are
unaware, and many of the lesser-known lists often have a higher
volume of good information.
Never place blind faith in anything you read in
a mailing list, especially if the list is
unmoderated. There are a number of self-styled experts on the Net who
will not hesitate to volunteer their views, whether knowledgeable or
not. Usually, their advice is benign, but sometimes it is quite
dangerous. There may also be people who are providing bad advice on
purpose, as a form of vandalism. And certainly, there are times when
the real experts make a mistake or two in what they recommend in an
offhand note posted to the Net.
There are some real experts on these lists who are (happily) willing
to share their knowledge with the community, and their contributions
make the Internet a better place. However, keep in mind that simply
because you read it on the Internet does not mean that the
information is correct for your system or environment, that it has
been carefully thought out, that it matches your site policy, and it
most certainly does not mean that it will help your security.
Always evaluate carefully the information you
receive before acting on it.
D.1.1 Response Teams and Vendors
Many of the incident response teams
(listed in Appendix E) have mailing lists for their
advisories and alerts. If you can be classified as one of their
constituents, you should contact the appropriate team(s) to be placed
on their mailing lists.
Many vendors also have mailing lists for updates and advisories
concerning their products. These include computer vendors, firewall
vendors, and vendors of security software (including some freeware
and shareware products). You may wish to contact your vendors to see
if they have such lists, and if so, join.
D.1.2 A Big Problem with Mailing Lists
The problem with all these lists is that you can easily overwhelm
yourself. If you are on lists from two response teams, four vendors,
and on another half dozen general-purpose lists, you may find
yourself filtering several hundred messages a day whenever a new
general vulnerability is discovered. At the same time, you
don't want to unsubscribe from these lists because
you might then miss the timely announcement of a special-case fix for
your own systems.
One method that we have seen others use with some success is to split
the mailing lists up among a group of administrators. Each person
gets one or two lists to monitor, with particularly useful messages
then redistributed to the entire group. Be certain to arrange
coverage of these lists if someone leaves or goes on vacation,
Another approach is to feed these messages into Usenet newsgroups you
create locally especially for this purpose. This strategy allows you
to read the messages using an advanced newsreader that will allow you
to kill message chains or trigger on keywords. It may also help
provide an archiving mechanism to allow you to keep several days or
weeks (or more) worth of messages.
Finally, most security mailing lists offer the option of subscribing
to a daily digest of the list. Digest subscribers usually receive a
single message each day that contains all of the
day's messages. Managing these digests can be easier
than sorting through each individual message as they arrive. Of
course, you may learn about new vulnerabilities several hours later
than other system administrators—or attackers.
D.1.3 Major Mailing Lists
These are some of the major mailing lists.
Bugtraq is a full-disclosure computer
security mailing list run by SecurityFocus. This list features
detailed discussions of Unix security holes: what they are, how to
exploit them, and what to do to fix them. This list is not intended
to be about cracking systems or exploiting their vulnerabilities
(although that is known to be the intent of some of the subscribers).
It is, instead, about defining—that is, recognizing and
preventing security holes and risks. To subscribe, sign up at:
Note that we have seen some incredibly incorrect and downright bad
advice posted to this list. Individuals who attempt to point out
errors or corrections are often roundly flamed as being
"anti-disclosure." Post to this
list with caution if you are the timid sort.
SecurityFocus also runs several other mailing lists that cover areas
of security (such as IDS, honeypots, or viruses) or specific flavors
of Unix (such as Linux or Sun systems). A particularly interesting
list is "incidents," which report
actual attacks and break-ins. SecurityFocus is owned by the Symantec
New CERT/CC advisories of security flaws and
fixes for Internet systems are posted to this list. This list makes
somewhat boring reading; often the advisories are so watered down
that you cannot easily figure out what is actually being described.
Nevertheless, the list does have its bright spots. Send subscription
requests to email@example.com. Put
"subscribe cert-advisory" in the
Archived past advisories are available at:
D.1.3.3 Computer underground digest
A curious mixture of postings on privacy, security, law, and the
computer underground fill this list. Despite the name, this list was
not a digest of material by the
information about the computing milieux. Unfortunately, it stopped
publishing in 2000, and it is unclear if the list will ever resume.
This list was available as the newsgroup
comp.society.cu-digest on the Usenet; the
newsgroup was the preferred means of distribution. The list is
archived at numerous places around the Internet, including its home
The Firewalls mailing list, which is
hosted by the Internet Software Consortium, is a primary forum for
folks on the Internet who want to discuss the design, construction,
operation, maintenance, and philosophy of Internet firewall security
systems. To subscribe, visit:
The Firewalls mailing list is usually high-volume (sometimes more
than 100 messages per day, although usually it is only several dozen
per day). To accommodate subscribers who don't want
their mailboxes flooded with lots of separate messages from
Firewalls, a digested version of the list is also available, and the
list is archived on the web site.
The Firewall-Wizards mailing list is a moderated list focused not
only on the design and implementation of firewalls but also other
network security topics. You can subscribe (or browse the archives)
RISKS is officially known as the ACM Forum
on Risks to the Public in the Use of Computers and Related Systems.
It's a moderated forum for discussing risks to
society from computers and computerization. RISKS is also distributed
as the comp.risks Usenet newsgroup, and this is
the preferred method of subscription. If you don't
get Usenet (and don't want to read it via
can send email subscription requests to
RISKS-Request@csl.sri.com with the word
"subscribe" in the body.
Back issues are available through Google (as above) or from:
D.1.3.7 SANS Security Alert Consensus
Security Alert Consensus
is a weekly digest of alerts and announcements from several other
security mailing lists and vendors. Subscriptions can be customized
to include only those operating systems for which you are
responsible. Subscribe at: