blue@altger.UUCP (blue) (12/10/88)
Well, it seems that UUCP &C. really lack on security.. I just realized that a registered node on a unix system, which is NOT authorized to get News of ANY kind, can on the contrary SEND any news-message ANYWHERE on ANY distribution. THIS IS REALLY AMAZING. On ANY Buletin Board Service new users are allowed to read at least some message base, but cannot write messages. Protection should be made on the POSTING of new messages. Not only on the "sendbatch"! Usenet News are a living BUG. b.b. -- Mr. BlueBoy, DTE222/hck - Milano, Italy Usenet: blue@altger | Unix has no bugs. Unix itself IS a bug. Subnet: blue@i2ack | Let's use ProDos.. :-)
aad@stpstn.UUCP (Anthony A. Datri) (12/12/88)
In article <1219@altger.UUCP> blue@altger.UUCP (blue) writes: >I just realized that a registered node on a unix system, which >is NOT authorized to get News of ANY kind, can on the contrary >SEND any news-message ANYWHERE on ANY distribution. Say WHAT? First off, what is a "registered node on a unix system"? News is free; NOBODY is authorized to get it because there isn't any concept of authorization, unless your local people have done something strange. If you're going to send articles somewhere, you've got to have some other machine that's explicitly willing to take it from you, so I don't see your point. -- @disclaimer(Any concepts or opinions above are entirely mine, not those of my employer, my GIGI, my VT05, or my 11/34) beak is@>beak is not Anthony A. Datri @SysAdmin(Stepstone Corporation) aad@stepstone.com stpstn!aad
wcs@skep2.ATT.COM (Bill.Stewart.[ho95c]) (12/14/88)
In article <1219@altger.UUCP> blue@altger.UUCP (blue) writes:
: Well, it seems that UUCP &C. really lack on security..
: I just realized that a registered node on a unix system, which
: is NOT authorized to get News of ANY kind, can on the contrary
: SEND any news-message ANYWHERE on ANY distribution.
: THIS IS REALLY AMAZING.
: On ANY Bulletin Board Service new users are allowed to read
: at least some message base, but cannot write messages.
: Protection should be made on the POSTING of new messages.
: Not only on the "sendbatch"!
You seem to have a different understanding of what usenet is about than
most of us do. There isn't some "big brother" government AUTHORIZING you
to send and receive news; everyone's allowed to do what they want.
(I realize Europe is slightly different because of billing for the trans-
Atlantic link, and because your phone companies belong to the government.)
If your site doesn't want to receive news, your administrators don't need
to install the software to receive it. If your adminstrators don't want to
receive a specific group, they can ask their news feed not to send it, or
tell their software to reject messages they don't want.
Posting is ok, and it's a good thing. If your site wants to reduce the
amount of posting they do to reduce costs, fine. If they want to make it
difficult to new users to post because they might look like fools if they
talk before they've done some reading, fine. It's not hard to get those
features. But otherwise, why protect posting? It's like arguing against
free speech; if you don't like what people might say you enlighten them
about how wrong they are, you don't prevent them from talking.
Distributions have two main purposes: to reduce the volume of news
transmitted around so people only pay to send/receive the news they want,
and to allow private discussions to use netnews technology
(e.g. within a company). The only security issues with distributions are
making sure that all the machines that support your private-discussion
group don't autimatically forward to machines that shouldn't receive it
(easy) and making sure everyone who has access to those machines is allowed
to read the news (tougher, especially if your company has contract-workers
and other semi-employees on the machine, or if your machine supports TCP/IP
without being careful about administration.)
If you want to post an article to news.admin or talk.politics about
"Car for Sale in Amsterdam", or "Gorbachev selling used missiles"
it doesn't do any real harm, though it's annoying. This is just netnews,
after all - you don't have to believe everything you read here.
--
# Thanks;
# Bill Stewart, AT&T Bell Labs 2G218 Holmdel NJ 201-949-0705 ho95c.att.com!wcs
#
# News. Don't ask me about News.henry@utzoo.uucp (Henry Spencer) (12/14/88)
In article <1219@altger.UUCP> blue@altger.UUCP (blue) writes: >Well, it seems that UUCP &C. really lack on security.. >I just realized that a registered node on a unix system, which >is NOT authorized to get News of ANY kind, can on the contrary >SEND any news-message ANYWHERE on ANY distribution. This problem has been known for a long time. Exercise for the reader: devise a good fix. Remember that the would-be news forger may be the system administrator on his own machine. It's a very hard problem. -- SunOSish, adj: requiring | Henry Spencer at U of Toronto Zoology 32-bit bug numbers. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
nanook@novavax.UUCP (Keith Dickinson) (12/14/88)
in article <1219@altger.UUCP>, blue@altger.UUCP (blue) says: > Xref: novavax news.sysadmin:2013 news.admin:4465 > Posted: Sat Dec 10 02:11:54 1988 > > Well, it seems that UUCP &C. really lack on security.. > I just realized that a registered node on a unix system, which > is NOT authorized to get News of ANY kind, can on the contrary > SEND any news-message ANYWHERE on ANY distribution. > THIS IS REALLY AMAZING. > On ANY Buletin Board Service new users are allowed to read > at least some message base, but cannot write messages. > Protection should be made on the POSTING of new messages. > Not only on the "sendbatch"! > Usenet News are a living BUG. > b.b. > -- > Mr. BlueBoy, DTE222/hck - Milano, Italy > Usenet: blue@altger | Unix has no bugs. Unix itself IS a bug. > Subnet: blue@i2ack | Let's use ProDos.. :-) BB, This is not entirely true. I am running Ufgate software on my MS-DOS (yuck) PC. Ufgate takes messages entered/routed in by Opus/Fidonet and passes them on to my Usenet host site. I was worried at the fact that people could post to "moderated" areas and not have any restrictions. After a few test messages, I discovered that the news handler on Novavax was scanning the news feeds, and finding that they had not hit the "moderator" yet, forewarded them to the moderator. Your worries MAY be valid on some systems, but at novavax.UUCP aparrently there is no problem. Keith Dickinson ----- _ /| | Fidonet : 369/2 [(305) 421-8593] Brave Mew World South \'o.O' | Internet : nanook@muadib.FIDONET.ORG =(___)= | UUCP : (novavax,hoptoad!ankh)!muadib!nanook | nanook@novavax U | USNail : 433 SE 13th CT. J-202, Deerfield Beach, Fl. 33441 Ack! | Disclamer: This message was created by a faulty AI program. Don't blame me...I voted for Bill'n'Opus in '88
lmb@vicom.COM (Larry Blair) (12/16/88)
In article <2567@stpstn.UUCP> aad@stpstn.UUCP (Anthony A. Datri) writes:
=If you're going to send articles somewhere, you've got to
=have some other machine that's explicitly willing to take it from you,
Not true. You can dump news on any system that you have a uucp connection
to. I could dump all of our news on, say, osu-cis, if I wanted to. About
the only way they could stop me would be to remove "rnews" from the L.cmds
file (or remove the anonymous login).
I'm talking 2.11.14 here; I have no idea what Eric or Henry might have put
in their versions.
--
Larry Blair ames!vsi1!lmb lmb@vicom.comjbuck@epimass.EPI.COM (Joe Buck) (12/17/88)
In article <2567@stpstn.UUCP> aad@stpstn.UUCP (Anthony A. Datri) writes: =If you're going to send articles somewhere, you've got to =have some other machine that's explicitly willing to take it from you, In article <1299@vsi1.COM> lmb@vicom.COM (Larry Blair) writes: >Not true. You can dump news on any system that you have a uucp connection >to. I could dump all of our news on, say, osu-cis, if I wanted to. About >the only way they could stop me would be to remove "rnews" from the L.cmds >file (or remove the anonymous login). It depends. If you run HDB UUCP, there is no such file as L.cmds. The Permissions file allows you to specify separate sets of legal commands for each neighbor, and only permit your official Usenet neighbors to execute "rnews". An archive site that permits anonymous UUCP could prevent the "anonymous" login from sending mail or news, if desired, permitting nothing but file transfers from a specified directory, while official news and mail neighbors pound away. So, if osu-cis were configured this way, then no, you couldn't dump news on them. -- - Joe Buck jbuck@epimass.epi.com, or uunet!epimass.epi.com!jbuck, or jbuck%epimass.epi.com@uunet.uu.net for old Arpa sites I am of the opinion that my life belongs to the whole community, and as long as I live it is my privilege to do for it whatever I can. -- G. B. Shaw
karl@triceratops.cis.ohio-state.edu (Karl Kleinpaste) (12/17/88)
lmb@vicom.COM (Larry Blair) writes:
Not true. You can dump news on any system that you have a uucp connection
to. I could dump all of our news on, say, osu-cis, if I wanted to. About
the only way they could stop me would be to remove "rnews" from the L.cmds
file (or remove the anonymous login).
Joe Buck's response had it on the ball here. osu-cis runs HDB UUCP,
and the Permissions file entry for the Uanon login allows rmail
(people having trouble with archive access tend to like to write us
mail about what's wrong) but not rnews. Real news neighbors don't use
Uanon. I suspect that most archive sites have similar arrangements.
--Karlblue@altger.UUCP (blue) (12/17/88)
In article <361@skep2.ATT.COM>, wcs@skep2.ATT.COM (Bill.Stewart.[ho95c]) writes: > You seem to have a different understanding of what usenet is about than > most of us do. There isn't some "big brother" government AUTHORIZING you > to send and receive news; everyone's allowed to do what they want. > (I realize Europe is slightly different because of billing for the trans- > Atlantic link, and because your phone companies belong to the government.) Bill, Usenet in Europe is not free by any mean. If one wants to get news he must be registered on uunet, on his national backbone - which will probably forward his system name to the european gateway - and PAY his backbone for the News . In italy, specifically, prices rise from 2000 US $ a year up to.. dunno,depends on WHAT your system is up for . Same for email on usenet. I heard that in the States this service is almost free. Charges for transmission are excluded of course. I run a Xenix system in Milano, Italy, which is linked to other systems in italy and to the german <subnet >. The problem of <costs> in europe is well-known, that's why a new european sub-network is borning these days . However, for people like me,students, getting on usenet is a MUST, and we are saving up money to subscribe uunet by 1989. Look from which system i am mailing this: its in Munich, W.Germany. I dont know ANY other systemin italy which can give me News. > Posting is ok, and it's a good thing. If your site wants to reduce the > amount of posting they do to reduce costs, fine. If they want to make it > difficult to new users to post because they might look like fools if they > talk before they've done some reading, fine. It's not hard to get those > features. But otherwise, why protect posting? It's like arguing against > free speech; if you don't like what people might say you enlighten them > about how wrong they are, you don't prevent them from talking. Hold on. If i send news from MY system, which is named i2ack, through altger, the postmaster here will get troubles. Although Altger kindly supports people like me, and may be would also agree for such a poor mail traffic on the net, hs backbone probably would be pointed at by the european backbone, for 2 main reasons: 1) i am not registered anywhere (yet) 2) i cannot connect through Germany. Being italian, i must use italian backbones. That's life. I know for sure that until now most of unix systems initaly used backbones abroad, however i got a LOT of troubles and as a matter of fact i cannot send/receive any email through altger. This explains why News - at least in europe - should be better protected. Now, i get the chance of this mail, asking: is there anyone around in USA running a unix (or similar) system linked on telenet, tymnet or whatever X.25 which would take me in? Not for free, i mean, just for a reasonable yearly fee. don't laugh, this is a serious problem, at least here in italy, where the whole uucp network (the official one) counts less than 40 nodes. regards, Paolo <B.B.> -- Mr. BlueBoy, DTE222/hck - Milano, Italy Usenet: blue@altger | Unix has no bugs. Unix itself IS a bug. Subnet: blue@i2ack | Let's use ProDos.. :-)