|
Here are some Internet sites of interest to those whose work includes security. They come from the Web Security Sourcebook, by Avi Rubin, Dan Geer, and Marcus Ranum, with a foreword by Steven Bellovin, published in 1997 by John Wiley & Sons. You can place orders now with John Wiley & Sons by calling toll-free at (800) 225-5945, or online via Amazon books. ftp://athena-dist.mit.edu/pub/kerberos/KERBEROS.FAQ This is the Frequently Asked Questions file for the Kerberos authentication system. It provides not only an overview of Kerberos but information about where and how to get it. ftp://info.cert.org/pub/tools/cops/ This is the complete COPS distribution. As newer versions of the software are released, they will also be available on this site. ftp://info.cert.org/pub/cert_advisories/ This is the Computer Emergency Response Team's advisory archive. It contains alert notices of security flaws in a large number of operating systems and software packages. ftp://info.cert.org/pub/cert_advisories/CA-96.26.ping This CERT alert documents the notorious "large ping packet" denial of service attack. It list systems which are known to be vulnerable. ftp://ftp.cert.dfn.de/pub/tools/password/SKey/ This is a version of the S/Key authentication software and its documentation. ftp://ftp.csn.net/mpj/getpgp.asc This file is the "how to get PGP FAQ" and lists a number of distribution points for the PGP encryption package. It also includes up-to-date information about PGP versions and what platforms PGP runs on. ftp://ftp.cwi.nl/pub/pct/ This is a distribution of the Python Cryptography Toolkit, including documentation. ftp://ftp.metronet.com/pub/perl/doc/manual/html/perlsec.html This manual page describes some of the security properties of the perl language and the perl tainting feature. https://www.tw.pgp.net/pgpnet/pgp-faq/faq.html The PGP encryption system FAQ. Includes detailed directions on how to use PGP, generate keys, exchange them, etc. ftp://info.cert.org/pub/cert_advisories\ ftp://info.cert.org/pub/tech_tips The CERT maintains this directory of tech tips relating to different aspects of system and network security, with a slightly UNIX-centric view of the world. ftp://info.cert.org/pub/tools/tripwire/ This is the distribution of the tripwire file integrity checker. Complete source code and documentation are included. ftp://net-dist.mit.edu/pub/PGP/mitlicen.txt This file explains MIT's licensing policy for the MIT version of PGP. ftp://net-dist.mit.edu/pub/PGP/rsalicen.txt This file explains RSADSI's licensing policy for the RSA encryption and key exchange algorithms used by PGP. ftp://net.tamu.edu/pub/security This is the top-level distribution point for Texas AMU's security whitepapers area. It includes a number of security-related tools and publications. ftp://ftp.Stanford.EDU/general/security-tools/swatch This is the distribution point for the "swatch" system log monitoring utility. Complete source code and documentation is included. ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd This is the distribution point for the Washington University FTP daemon, which is a very popular "full-featured" FTP server. It is the most actively maintained FTP server version and has many security bug fixes. https://www.clark.net/pub/mjr/pubs/sources/aftpd.taz This is the distribution point for Marcus Ranum's minimal FTP server. Unlike most FTP servers, it does very little except serve files in read-only mode. It is designed to run without permissions. For highly paranoid sites only. gopher://ds1.internic.net/00/fyi/fyi8.txt This is the "site security polic handbook" -- a highly useful document for those needing to draft site policies and procedures for security. https://apache.org/ This is the distribution point for the highly popular Apache web server. Apache supports SSL and a number of advanced security features. https://ciac.llnl.gov/ This is the toplevel page for the US Department of Energy's computer security advisory group. Its role is similar to CERT's but focussed on the Department of Energy. https://ds.internic.net/internet-drafts/draft-ietf-http-digest-aa-05.txt This is the Internet draft on HTTP digest authentication. It proposes an incremental improvement over the current password-based scheme. https://ds.internic.net/rfc/rfc1321.txt RFC 1321 describes the popular and widely-used MD5 hashing algorithm. The RFC includes a reference implementation of the algorithm, written in C. https://grail.cnri.reston.va.us/grail/info/manual/restricted.html This paper describes the restricted mode operation supported by the Python system and Grail browser. https://home.netscape.com/comprod/server_central/config/nsapi.html This document describes the Netscape Server Application Programming Interface (NSAPI) for Netscape 1.1 servers. https://hoohoo.ncsa.uiuc.edu/auth-tutorial/tutorial.html This tutorial surveys the current methods in NCSA Mosaic for X version 2.0 and NCSA httpd for restricting access to documents. It also walks through setup and use of these methods. https://hoohoo.ncsa.uiuc.edu/cgi/cl.html This document describes how command line processing is performed in CGI scripts. It includes several examples of how to use CGI command line processing. https://hoohoo.ncsa.uiuc.edu/cgi/env.html This document describes how CGI environment variables are managed when a script is called. It includes pointers to examples. https://hoohoo.ncsa.uiuc.edu/cgi/in.html This documents describes how POST and PUT methods are invoked through CGI scripts, and how their input is processed. It includes examples. https://hoohoo.ncsa.uiuc.edu/cgi/out.html This document describes output processing from CGI scripts, including the naming conventions used and responses expected by the client. https://hoohoo.ncsa.uiuc.edu/cgi/overview.html This document gives a broad overview of the CGI interface, its purpose, and principles. https://hoohoo.ncsa.uiuc.edu/cgi/security.html This document provides an overview of the security issues in developing CGI scripts. If you've purchased this book, you don't need it. If you're just browsing this book at a bookstore and don't intend to buy it then you can start your independent research here. https://hoohoo.ncsa.uiuc.edu/docs/tutorials/cgi.html This is an introductory tutorial to CGI scripts and how to write them. https://icemcfd.com/tcl/comparison.html This is a pointer farm for comparisons between Tcl and other languages. Some of it is culled from newsgroups, some of it not. Comprehensive at least. https://sunsite.unc.edu/javafaq/javafaq.html This is a Java FAQ list for the comp.lang.java newsgroups. https://sw.cse.bris.ac.uk/WebTools/redman.html This is the "RedMan" page; it describes a WebPage Redirection Manager that is a pretty simple idea for redirecting some kinds of references such as *.html to and from *.htm as well as handling compressed sources returned uncompressed. https://underground.org/tools/unix/audit/crack/ Crack breaks password files. Therefore, either you run crack on your password file or someone else will do it for you. If you do it on yourself, perhaps you can convince your users to do better with their password choices.
https://ute.usi.utah.edu/bin/cgi-programming/\ https://wuarchive.wustl.edu/packages/wuarchive-ftpd/ The best FTP package is here. https://www-genome.wi.mit.edu/WWW/faqs/wwwsf5.html This section of the WWW Security FAQ is about safe scripting in Perl. https://www-ns.rutgers.edu:80/www-security/index.html This is an index document prepared by the Rutgers University WWW security team. It has a lot links elsewhere, so is a good place to begin. https://www-swiss.ai.mit.edu/~bal/pks-toplev.html This is Brian LaMacchia's PGP Key Server and a whole lot of PGP-related links elsewhere. Want to know the PGP key of a known party? Start here. https://www.ast.cam.ac.uk/%7Edrtr/cgi-spec.html IETF WWW CGI v1.1 document, also available elsewhere. https://www.att.com The website of AT&T. https://www.axent.com/ The website of Axent Technologies, makers of security products including host-based security audit software. https://www.bellcore.com/BETSI/general.info.html The canonical site for Bellcore's Trusted Software Integrity System, a.k.a. BETSI, which tries to solve the trusted software distribution problem. It is free and experimental. https://www.cerf.net/~paulp/cgi-security/safe-cgi.txt Safe CGI programming tutorial notes from Paul Phillips who is also the author of the "Useless Pages." https://www.cert.dfn.de/eng/resource/keyserv.html An index of, and other information about, PGP Key Servers, including what to do about compromised keys. The website of Computer Security Technologies (COST) of Sweden. https://www.cryptolope.ibm.com/about.htm The IBM site regarding cryptolopes, a proprietary cryptographic container object for copyright protection, proof of ownership, etc., etc. https://www.cs.purdue.edu/coast/archive/Archive_Indexing.html This is the top-level index page of the COAST security archive, arguably the most extensive archive available anywhere. https://www.cs.purdue.edu/homes/spaf/hotlists/csec-top.html The COAST hotlist, arguably the place to go when you want to know what's new since I went on vacation, say. https://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec/ This tutorial is to teach defensive programming for CGI applications and assumes that you already know what CGI is and are in a programming frame of mind. https://www.cybertrust.com The website of the GTE spinoff CyberTrust, a public certifying authority and the provider of CA tools generally. https://www.fastcgi.com The website of the FastCGI group at Open Market, Inc. FastCGI is a seriously performance boosting alternative to CGI in its ordinary form but does not take the risky step of binding applications into the running webserver itself. https://www.haystack.com The website of Haystack Labs, a security firm that sells, inter alia, the WebStalker webserver audit package. https://www.iss.net/vd/compromise.html A fascinating, and under the right (sad) circumstances, and essential reference to what you should do *after* you have had a compromise of your UNIX machine. Complete to a fault. https://www.iss.net/sec_info/anonftp.html The anonymous FTP FAQ; everything you need to know about providing anonymous FTP services safely. https://www.javasoft.com/doc/ The website of JavaSoft, the Java company spun off from Sun Microsystems. Lots of links. https://www.law.cornell.edu/uscode/22/2778.html This is the straight text of the arms control rules under which cryptographic export is regulated. This, of course, will change with time. https://www.maxm.com/products/maxent.html MAXM Systems Corporation provides a number of products, notably the MAX/Enterprise event management system. https://www.microsoft.com/intdev/security/authcode/authwp.zip Microsoft's "authenticode" is a code signing package that attempts to solve the downloaded-software problem by requiring that all such code fragments be signed by "reputable" vendors. Contrast this to other means that ignore signing and instead provide padded cells to run the software in. https://www.microsoft.com/win32dev/apiext/isapimrg.htm Microsoft's ISAPI is the API programmers use to bind their application into the running webserver. The benefits are speed and the ubiquity of the Microsoft platforms; the risks have to do with intermingling applications servers and webservers in the same binary. https://webcompare.iworld.com/compare/chart.html Webserver feature chart, i.e., a way to compare webservers. https://www.ncsa.com/webcert/webcert.html This is the home page for the CSA Certified Secure Web Site Certification Program. The NCSA Certified Web Site program provides assurance to web users, and organizations represented by web sites, that Certified Web Sites meet minimum standards for a range of logical and physical security issues. According to NCSA, users who visit an NCSA Certified Web Site can expect that the site has taken the necessary security measures to prevent intrusion, tampering, data loss or theft, and hacking as opposed to other sites that have not received NCSA Certification. https://www.ov.com/products/e_manager.html https://www.ov.com/products/secure.html These three URLs belong to OpenVision. They feature an open system technology based on Kerberos. These pages give information about their commercial product for network security services. https://www.perl.com/perl/index.html This is a home page that was created for the perl programming language. It is a starting point for obtaining software, documentation and answers to many questions. https://www.perl.com/perl/faq/perl-cgi-faq.html This page contains a list of frequently asked questions and their answers for writing CGI scripts in perl. https://www.perl.com/perl/info/security.html This page is used to maintain a list of security bugs in well-known CGI scripts written in perl. There are pointers to CERT advisories and other bugs. https://www.pgp.com/phil/phil.cgi This is Phil Zimmerman's home page. He is the designer and builder of PGP, the most widely used software product for public key encryption and signature. The following two URL's relate to using this software: https://www.pgp.com/products/viacryptletter.cgi https://www.pgp.net/pgpnet/email-key-server-info.html https://www.python.org/doc/tut/tut.html https://www.python.org/python/Comparisons.html Python is a simple programming language that bridges the gap between C and shell programming, and is thus suited for throw-away programming and rapid prototyping. Its syntax is put together from constructs borrowed from a variety of other languages; most prominent are influences from ABC, C, Modula-3 and Icon. https://www.securid.com/ This is the home page of security dynamics. They make the SecurID card which is an authentication token that is used to generate one-time passwords. https://www.ssc.com/websmith/issues/ This is an online journal which answers many questions about creating and maintaining web sites. https://www.stack.nl/~galactus/remailers/attack-faq.html This page is devoted to the breaking of PGP. It discusses all known attacks and methods for attacking the program. https://www.stentor.ca/ Stentor is a telecommunications company in Canada. This is their home page. https://www.sunlabs.com/research/tcl/docs.html https://www.sunlabs.com/research/tcl/plugin/safetcl.html https://www.sunlabs.com/tcl TCL is a programming language that allows for rapid prototyping and easy interaction with tk, a windows toolkit. https://www.tivoli.com/ Tivoli is a company with an environment for managing networked computers. They are partnered with IBM. https://www.uhsa.uh.edu/issa/tools.html This page contains some security tools for authentication, cryptography, firewalls, network monitoring, network and system security and others. It is a great starting point. https://www.vanderburg.org/~glv/Tcl/war/ This page contains articles that debate whether or not Tcl is a good programming language or not. https://www.verisign.com This is the home page of the Verisign company. They issue digital certificates for people and organizations. They are partners with RSA. This site is worth checking out if you are interested in obtaining your own certificate of finding out more about what the certificates mean. https://www.w3.org/ This is the home page of the world wide web consortium. It was founded in 1994 to develop common standards for the evolution of the World Wide Web.
https://www.yahoo.com/Computers\ news://comp.protocols.kerberos This is a newsgroup devoted to discussing the security of the Kerberos protocol. news:comp.lang.java.security This newsgroup discusses the security issues surrounding the Java programming language. news:comp.lang.perl.misc This newsgroup is the place to find answers to all your questions about programming in Perl. About 130 postings per day. news:comp.lang.python Similar to above, but discusses python instead of Perl. news:comp.lang.tcl A newsgroup where the TCL programing language is discussed.
|
 Need help? Use our Contacts page.
Last changed: May 26, 1997 pc |
|
Symposium index