jgd@pollux.UUCP (Dr. James George Dunham) (07/27/88)
Recently an event happened with one of our local news sites that exposes a potential security problem with the current version of news B.2.11.14. This site received some news and spooled it. The machine went down and the name was accidently changed. After coming up, the spooled news was received and then batched for the local feed sites with the changed name. An alert system operator noticed the name change since no one could communicate with it via UUCP and restored the proper name to the machne. The batched news was received by us and we accepted it with the changed name even though we do not have UUCP connections to that site nor is that site listed in our sys file. Thus news was proprogated on the network with a bogus site in the path. Even though this is an unlikely set of events, a site wishing to inject bogus news on the network that would be difficult to track down could use this technique. I would suggest the the next version of news eliminate this potential problem by including a check to sys to see if the site is valid before accepting it. -Jim Dunham pollux!jgd
wcs@skep2.ATT.COM (Bill.Stewart.[ho95c]) (07/28/88)
In fact, news has always been easy to forge. Several of the possible methods leave a trace, but others only tell where you hopped onto the news distribution network, and logfiles only help when the administrator isn't on vacation. But that's ok; this is only netnews. "Security" merely means you can't believe everything you read here, it doesn't mean your machine has been broken into. Even the Post Office doesn't claim to prevent forgery. -- # Thanks; #Bill Stewart, AT&T Bell Labs 2G218 Holmdel NJ 201-949-0705 ho95c.att.com!wcs