Zardoz (computer security)
Encyclopedia
The Zardoz list, more formally known as the Security-Digest list, was a famous semi-private full disclosure
mailing list run by Neil Gorsuch from 1989 through 1991, identifying weaknesses in systems and where to find them. Zardoz is most notable for its status as a perennial target for computer hackers
, who sought archives of the list for information on undisclosed software vulnerabilities.
users, valid UUCP
owners, or system administrators listed at the NIC
.
The openness of the list to users other than Unix system administrators was a regular topic of conversation, with participants expressing concern that vulnerabilities or exploitation details disclosed on the list were liable to spread to hackers. On the other hand, the circulation of Zardoz postings among computer hackers was an open secret, mocked openly in a famous Phrack parody of an IRC channel populated by notable security experts.
The majority of Zardoz participants were Unix systems administrators and C software developers. Neil Gorsuch and Gene Spafford were the most prolific contributors to the list.
Full disclosure
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
mailing list run by Neil Gorsuch from 1989 through 1991, identifying weaknesses in systems and where to find them. Zardoz is most notable for its status as a perennial target for computer hackers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
, who sought archives of the list for information on undisclosed software vulnerabilities.
Membership restrictions
Access to Zardoz was approved on a case-by-case basis by Gorsuch, principally by reference to the user account used to send subscription requests; requests were approved for rootSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
users, valid UUCP
UUCP
UUCP is an abbreviation for Unix-to-Unix Copy. The term generally refers to a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers. Specifically, a command named uucp is one of the programs in the suite; it...
owners, or system administrators listed at the NIC
InterNIC
The Internet Network Information Center, known as InterNIC, was the Internet governing body primarily responsible for domain name and IP address allocations from 1972 until September 18, 1998 when this role was assumed by the Internet Corporation for Assigned Names and Numbers...
.
The openness of the list to users other than Unix system administrators was a regular topic of conversation, with participants expressing concern that vulnerabilities or exploitation details disclosed on the list were liable to spread to hackers. On the other hand, the circulation of Zardoz postings among computer hackers was an open secret, mocked openly in a famous Phrack parody of an IRC channel populated by notable security experts.
Notable participants
- Keith BosticKeith BosticKeith Bostic is a computer programmer from the United States.In 1986, Bostic joined the Computer Systems Research Group at the University of California, Berkeley. He was one of the principal architects of the Berkeley 4.4BSD and 4.4BSD-Lite releases...
discussed BSD SendmailSendmailSendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
vulnerabilities - Chip SalzenbergChip SalzenbergChip Salzenberg is an American programmer mostly noted for his involvement in the Perl and Free Software communities. Salzenberg has been involved with Perl development for over 15 years, and with Free Software for more than 20 years....
discussed Peter Honeyman's posting of a UUCPUUCPUUCP is an abbreviation for Unix-to-Unix Copy. The term generally refers to a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers. Specifically, a command named uucp is one of the programs in the suite; it...
worm, and shell scriptShell scriptA shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language...
securityH - Gene SpaffordGene SpaffordEugene Howard Spafford , commonly known as Spaf, is a professor of computer science at Purdue University and a leading computer security expert....
discussed VMSVMS- Communication and transportation :* Voice Mail System, automated telephone messaging* Video Messaging Service , video messaging for 3G handsets* VMS MobiFone, one of the largest mobile phone operators in Vietnam...
and UltrixUltrixUltrix was the brand name of Digital Equipment Corporation's native Unix systems. While ultrix is the Latin word for avenger, the name was chosen solely for its sound.-History:...
bugs, and relayed law enforcement enquiries about the Morris Worm - Tom Christiansen discussed SUID shell scripts
- Chris Torek discussed devising exploits from general descriptions of vulnerabilities
- Henry SpencerHenry SpencerHenry Spencer is a Canadian computer programmer and space enthusiast. He wrote "regex", a widely-used software library for regular expressions, and co-wrote C News, a Usenet server program. He also authored The Ten Commandments for C Programmers. He is coauthor, with David Lawrence, of the book...
discussed UnixUnixUnix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
security - Brendan KehoeBrendan KehoeBrendan Patrick Kehoe was an Irish-born software developer and author. Born in Dublin, he was raised in China, Maine in the United States. In his early teens, he was first exposed to computing when he was given a Commodore 64 computer and he used this machine to teach himself about computing and...
discussed systems security - Alec Muffett announced CrackCrack (software)Crack is a Unix password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack....
, the famous Unix password cracker
The majority of Zardoz participants were Unix systems administrators and C software developers. Neil Gorsuch and Gene Spafford were the most prolific contributors to the list.