Page 137

Undergound. Go to Table of Contents.

   Zardoz, a worldwide security mailing list, was also precious, but for

   a different reason. Although the mailing list's formal name was

   Security Digest, everyone in the underground simply called it Zardoz,

   after the computer from which the mailouts originated. Zardoz also

   happened to be the name of a science fiction cult film starring Sean

   Connery. Run by Neil Gorsuch, the Zardoz mailing list contained

   articles, or postings, from various members of the computer security

   industry. The postings discussed newly discovered bugs--problems with

   a computer system which could be exploited to break into or gain root

   access on a machine. The beauty of the bugs outlined in Zardoz was

   that they worked on any computer system using the programs or

   operating systems it described. Any university, any military system,

   any research institute which ran the software documented in Zardoz was

   vulnerable. Zardoz was a giant key ring, full of pass keys made to fit

   virtually every lock.


   True, system administrators who read a particular Zardoz posting might

   take steps to close up that security hole. But as the hacking

   community knew well, it was a long time between a Zardoz posting and a

   shortage of systems with that hole. Often a bug worked on many

   computers for months--sometimes years--after being announced on



   Why? Many admins had never heard of the bug when it was first

   announced. Zardoz was an exclusive club, and most admins simply

   weren't members. You couldn't just walk in off the street and sign up

   for Zardoz. You had to be vetted by peers in the computer security

   industry. You had to administer a legitimate computer system,

   preferably with a large institution such as a university or a research

   body such as CSIRO. Figuratively speaking, the established members of

   the Zardoz mailing list peered down their noses at you and determined

   if you were worthy of inclusion in Club Zardoz. Only they decided if

   you were trustworthy enough to share in the great security secrets of

   the world's computer systems.


   In 1989, the white hats, as hackers called the professional security

   gurus, were highly paranoid about Zardoz getting into the wrong hands.

   So much so, in fact, that many postings to Zardoz were fine examples

   of the art of obliqueness. A computer security expert would hint at a

   new bug in his posting without actually coming out and explaining it

   in what is commonly referred to as a `cookbook' explanation.


   This led to a raging debate within the comp-sec industry. In one

   corner, the cookbook purists said that bulletins such as Zardoz were

   only going to be helpful if people were frank with each other. They

   wanted people posting to Zardoz to provide detailed, step-by-step

   explanations on how to exploit a particular security hole. Hackers

   would always find out about bugs one way or another and the best way

   to keep them out of your system was to secure it properly in the first

   place. They wanted full disclosure.


   In the other corner, the hard-line, command-and-control computer

   security types argued that posting an announcement to Zardoz posed the

   gravest of security risks. What if Zardoz fell into the wrong hands?

   Why, any sixteen-year-old hacker would have step-by-step directions

   showing how to break into thousands of individual computers! If you

   had to reveal a security flaw--and the jury was still out in their

   minds as to whether that was such a good idea--it should be done only

   in the most oblique terms.