Security Related Links for admins, and informed alternative users (not a complete list, but a good start.)
Links to security related legal, analysis, and educational data and information:
- http://www.securityfocus.com/ archives BUGTRAQ: k-rad-uber-tres-cool security mailing list Full disclosure, moderated, good signal, low noise. Not always the first place to find currennt security issues, but is a clearing house for many issues.
- http://www.iss.net/ sponsors several mailing lists at http://www.iss.net/security_center/maillists/ Mailing list sponsored by ISS on security with some discussions on security and networking security.
- http://www.ntbugtraq.com/ Has the NT Bugtraq Mailing list available which is the NT based BUGTRAQ that focuses on Windows NT. NT Issuues also appear in mainstream BUGTRAQ, but offers more discussion with an emphasis for Windows NT. Also full disclosure, and moderated.
- http://ciac.llnl.gov/ has the CIAC (Computer Incident Advisory Capability) mailing list. It is not as nice of a list for Administrators and Hackers and Crackers since they often do not offer full disclosure, and try to work with vendors to come up with solutions before publishing them. It is a good list to join, since there are very few messages here anymore, but the few that make it through give you an idea on where some vendors are in their security audits.
- http://www.cert.org/ CERT (Computer Emergency Response Team) from Carnegie Mellon is similar to the CIAC list above in that you do not always get a "heads-up" when security problems exist, and what to examine, and expect in the way of canned exploits. They also try to work with vendors to find solutions before broadcasting security issues.
Periodicals and web forums/Fringe legality issues/alternative solutions:
- http://securityportal.com/ yet another one... and a specific article "Why BSD Will Never Be As Secure As Linux"
- http://www.wirex.com/: WireX communications
- http://www.argus-systems.com/product/overview/lx/: PitBull LX
- http://www.nsa.gov/selinux/: NSA Security Enhanced Linux
- http://www.lids.org/: Linux Intrusion Detection System "LIDS"
- http://medusa.fornax.sk/: Medusa DS9
- http://www.2600.com/ This is an older groups and a magazine called "The Hacker Quarterly" that covers everything from Hacking the phone company telco systems, to hacking systems, to social engineering, to systems security breach, to virus coding and beyond. Previous international meetings seem to happen about once every 3 years, but because Anarchy Rules, this is not necessarily going to remain consistent. First huge gathering was H.O.P.E. (Hackers on Planet Earth) back in 1994 (I think), then in 1997, and now in 2000 http://www.h2k.net/.
- http://www.cultdeadcow.com/ producers of Back Orifice a utility for remote administration and trojaning of other machine to take them over (Windows 95 and NT)
- http://www.rootshell.com/beta/news.html Nice site with download-able exploits for all of those script kiddies. "Hey, these are cool! How do I compile stuff?" -A User
- http://www.packetfactory.net/Projects/sentinel/ The packet factory Sentinel project for detection of promiscuous mode ethernet interfaces on a network...
- http://www.sonic.net/group42 is from the 707! (our back yard) and has a CD they want to sell that is more black hat in its reviews and information than white hat...
- "http://www.hackernews.com/" gone? no longer has an entry for whois lookup
- http://www.secunet.de/ (In German. if you do not know german, try http://babelfish.altavista.com/ but you may need to select a frame manually and grab the URL for it...
- http://www.security.kki.pl/ Published KKI Security Service in
- "http://www.infowar.co.uk/mnemonix/" (name still registered, but no resolution in DNS) More NT Stuff... also check the root level of the site "http://www.infowar.co.uk/" (name still registered, but no resolution in DNS) For even more NT Stuff...
- http://olympus.cs.ucdavis.edu/~bishop/secprog.html Matt Bishop's secure programming guide
- http://www.nolo.com/ Legal rights for both sides are covered in books from here.
- http://www.loompanics.com/ has many fringe books on things that are illegal if applied in the real world, or gray area, or just anarchistic/fringe books. The professional, and hobbiest often read books like these to remain informed on what *can* be done without having any intent for completing any of the things described.
http://www.lysator.liu.se/mit-guide/mit-guide.html The well known MIT Guide to lock picking archives on a .se site.
http://www.indra.com/archives/alt-locksmithing/ The alt.locksmithing FAQ.
http://www.terroristsupply.com/store/lockpick/index.shtml (The old site was http://www.southbendhackersclub.com/store/locks.html but it has changed to http://www.terroristsupply.com/store/lockpick/index.shtml.) Web site of group that sells book which are also available from Loompanics ( http://www.loompanics.com/ ). (Mentioned earlier in this doc.)
http://www4.law.cornell.edu/uscode/39/3002a.html Federal laws on transport of locksmithing tools via mail
http://www4.law.cornell.edu/uscode/18/1716A.html and more info on the same
(Before you enter into performing any of the below, you should check with the laws in your area. Many countries, provinces, states, counties, and cities have rules and laws that govern the creation, use, and possession of items related to locksmithing.)
- http://www.foleybelsaw.com/ Has a correspondence course on locksmithing.
- http://www.locksmithingschool.com/ Physical Security / Locksmithing. Physical Security in most cases with computers equates to access. Un-observed access equates to possible theft of hardware and data. There are other better schools, but not many for your to learn from home... If you are in California,you may want to look at http://www.dca.ca.gov/bsis/locksmith.htm for licensing... also for more info http://www.ultranet.com/~jbouris/lc.html
- http://www.dca.ca.gov/bsis/bsislock.htm California Licensing Information...
- http://www.wilton.force9.co.uk/lock/: Good site on lockpicking with public forum (mailing list) discussing locks, lock picking, locksmithing:
To subscribe to the list, send a message to:
To remove your address from the list, send a message to:
- http://www.clearstar.com/ A private forum of locksmiths where paid membership is required. They require you to prove you are a locksmith or student of locksmithing at "reputable" school (like a school that is a member of ALOA or SASE.) At this time (May 13,2001) they would require 3 of the following to be submitted for proof as well as the annual fees of US$40: State Locksmith/Security License, Driver's License, Suppliers invoice, Certificate from locksmithing/security school/course, Yellow Page Ad, Business card, Request submitted on Institution letterhead stationery, Association membership card (like SASE/ALOA or a local locksmith group with ties to a larger organization.) Though they have good discussion with knowledgeable people, but it is not public and there is no anonymity.
- Commercial vendors of supplies many with pictures:
- http://www.justlockse.com/ (Was www.justlockslimited.com) They sell supplies, but I am not sure of restrictions. Pictures of lock picks and other tools including the destructive rotary pick (ha!) (commercial)
- http://www.foxspyoutlet.com/ (Commercial) has sold picks and supplies at the Las Vegas outlet without asking for ID due to more relaxed laws in NV on lockpicking supplies. In California, you may need to be a registered locksmith (see the BSIS link on the page) before you may buy lockpicks and lock bypass systems. In Nevada, there does not seem to be any such restriction, so their Fox's Spy Outlet in Las Vegas will sell to anyone. If you live in the U.S. please note the laws goverening using the USPS to send locksmith supplies to non-registered locksmiths! It is illegal. You should research on your own to find if UPS or ther carriers have similar legal restriction, or your local state (i.e. NJ) country, city, county, province has rules governing where, how and who may receive locksmith supplies.
"just checked. here's the scoop:
0. they WILL sell you lockpick tools.
1. however, they photocopy your driver's license.
2. they keep the photocopy for 1 year.
3. if nobody comes knocking on their door asking about you, they toss the photocopy.
they also have a plethora of lockpick related books."
In CA, it does not take much to become a state licensed locksmith. Check out the BSIS. Once you are registered (even if you are a hobbiest) you will find it easier to buy supplies, and get other locksmiths to speak with you. An apprenticeship at a local shop is also a good idea, but be prepared to do a lot of recoring of locks, and little picking. (My own suggestion FWIW.)
- http://www.rimbros.co.uk/ British site (commercial)
- http://www.safeventures.com/ (Commercial)
- http://groups.yahoo.com/group/locksports/ a yahoo group on the topic.
- Comments and/or suggestions?: Email me at: firstname.lastname@example.org