[talk.bizarre] forgery

dsill@ark1.nswc.navy.mil (Dave Sill) (10/31/89)

In article <6037@tank.uchicago.edu>, toto@tank.uchicago.edu (Sandra
Jessica Smyth) writes:
> Now, is it obvious why we don't need discussions of how postings can
> be forged?

No, it's not.  Perhaps if we (the set of all USENET administrators)
knew how postings were forged, we'd know how to stop forgeries.  I'd
rather have a short period during which the forgery rate is expected
to be high followed by a long period of no forgeries than a long
period of unexpected forgeries.

What is obvious to me, though, (even if you don't buy the above) is
that we need to discuss how to recognize a forged posting.  My guess
is that you looked at the Path: entry in the header and saw that
gryphon was linked to the wrong system.  (Just a guess.)

Another thing that's not obvious to me is why Richard didn't expose
the forgery.

Dave Sill (dsill@relay.nswc.navy.mil)

chuq@Apple.COM (Chuq Von Rospach) (10/31/89)

>No, it's not.  Perhaps if we (the set of all USENET administrators)
>knew how postings were forged, we'd know how to stop forgeries.

Actually, no. I've got an article I wrote for moderators/usenet
admins/hackers and etc a few years ago on how to forge messages. It was
also (accidentally) posted to RISKS, so it might be in the archives there.
If people really want it, I suppose I could post it, since there are no
real secrets to it -- it's fairly trivial if you understand both USENET and
the transfer mechanisms.

It's also a security hole that has completely defied plugging, simply
because the information you need to plug it is unavailable and there's no
way to (practically) make that information available, thanks to certain
protocol limitations.

>I'd
>rather have a short period during which the forgery rate is expected
>to be high followed by a long period of no forgeries than a long
>period of unexpected forgeries.

Well, it didn't happen when it was posted to RISKS, but perhaps that was an
obscure enough release that the idiots didn't notice it. More likely, most
people wouldn't bother, or might post post one or two for the thrill of it
and then move on to some other amusement...

>What is obvious to me, though, (even if you don't buy the above) is
>that we need to discuss how to recognize a forged posting.

A good forgery is almost untraceable. I might point out, for instance, that
technically speaking all the newgroups I posted when I was newgroup czar
are forgeries, as while zamboni.apple.com exists, it's neither attached to
an outside network nor does it run usenet. And, if it matters, I don't
become Mr. USENET on Apple.com when I send it out, so I don't have
priviledges to do so when I do it (I could, but it's easier this way). 

>Another thing that's not obvious to me is why Richard didn't expose
>the forgery.

One aspect of a forgery is that the person who is being forged doesn't see
the message, because of an obscure aspect of the propogation code in
USENET. USENET software looks at the Path: variable and if a hostname in
your sys file is in the Path:, it won't send the message, since by
definition that machine has seen it already. So putting "gryphon" in the
path makes sure the message never gets to "gryphon". (which actually has
practical uses of its own, if you think of it).

-- 

Chuq Von Rospach <+> Editor,OtherRealms <+> Member SFWA/ASFA
chuq@apple.com <+> CI$: 73317,635 <+> [This is myself speaking]

Trust Mama Nature to remind us just how important things like sci.aquaria's
name really is in the scheme of things.

hb@uvaarpa.virginia.edu (Hank Bovis) (10/31/89)

In article <36049@apple.Apple.COM> chuq@Apple.COM (Chuq Von Rospach) writes:
[Attribution for the following lost. --hb]
##No, it's not.  Perhaps if we (the set of all USENET administrators)
##knew how postings were forged, we'd know how to stop forgeries.

Or perhaps not, at least not in any meaningful sense.  Depending
on the method, it might be that the only way to stop the forgery
be to stop the *genuine* article as well.

#One aspect of a forgery is that the person who is being forged doesn't see
#the message ...
#USENET software looks at the Path: variable and if a hostname in
#your sys file is in the Path:, it won't send the message, since by
#definition that machine has seen it already. So putting [<x>] in the
#path makes sure the message never gets to [<x>].

Also not necessarily true.  I've seen counterexamples to this.

#Chuq Von Rospach <+# Editor,OtherRealms <+# Member SFWA/ASFA
#chuq@apple.com <+# CI$: 73317,635 <+# [This is myself speaking]

hb
-- 
Hank Bovis (hb@Virginia.EDU, hb@Virginia.BITNET)

** Vote YES to sci.aquaria; send votes to richard@gryphon.COM. **

dsill@ark1.nswc.navy.mil (k30b) (10/31/89)

In article <36049@apple.Apple.COM>, chuq@Apple.COM (Chuq Von Rospach) writes:
> >No, it's not.  Perhaps if we (the set of all USENET administrators)
> >knew how postings were forged, we'd know how to stop forgeries.
> 
> Actually, no.

Well, I did say *perhaps*.  It at least was not obviously unnecessary
to talk about the how-tos of forgery, as 6037@tank.uchicago.edu
suggested.

> >Another thing that's not obvious to me is why Richard didn't expose
> >the forgery.
> 
> One aspect of a forgery is that the person who is being forged doesn't see
> the message, because of an obscure aspect of the propogation code in
> USENET.

He would have seen your reply, though.

Dave Sill (dsill@relay.nswc.navy.mil)

henry@utzoo.uucp (Henry Spencer) (10/31/89)

In article <212@ark1.nswc.navy.mil> Dave Sill <dsill@relay.nswc.navy.mil> writes:
>... Perhaps if we (the set of all USENET administrators)
>knew how postings were forged, we'd know how to stop forgeries...

Nope.  The problem is not fixable.  It is marginally practical, at quite
considerable cost, for moderated groups -- we looked at doing this in
C News, although our conclusion was "too much hassle" -- but just isn't
possible otherwise.
-- 
A bit of tolerance is worth a  |     Henry Spencer at U of Toronto Zoology
megabyte of flaming.           | uunet!attcan!utzoo!henry henry@zoo.toronto.edu