fair@ucbarpa.Berkeley.EDU (Erik E. Fair) (07/04/88)
In the referenced article, Bob.Webber@aramis.RUTGERS.EDU writes:
I am told that the messages were actually fed in at the
rutgers gateway itself via the joys of Eric Fair's nntp.
First, I'd like to take this opportunity to correct Dr. Webber's
spelling. My name is "Erik", not "Eric". Write whatever you want
about me, but spell my name right!
Second, NNTP is by no means mine. Most of the work was done by Phil
Lapsley, who wrote the daemon, and hacked up "rn" to be the first
reader client. Brian Kantor wrote some software in a parallel
effort, and he wrote nearly all of what became RFC977. I wrote the
news transfer client, kibitzed a lot on the spec, and played
"marketeer" for it. Several other people have written reader clients
for operating systems other than UNIX (e.g. TOPS-20, VMS, Symbolics
Lisp Machines, System V, MS/DOS, etc.)
Third, NNTP provides as much security as we thought was reasonably
useful, given that netnews itself has no authentication at all,
and no protection against forgeries. The NNTP daemon can discriminate
between sites, offering four levels of service: none (i.e. connection
refused), transfer (they're allowed to give us articles, and fetch
stuff by message-id), reader (they're allowed to give the group
command, and fetch things by sequence number), and post (they're
allowed to use the post command).
Discrimination can be done on network, sub-network, or per-host
basis, with distribution security (e.g. if you're a company on the
internet with NNTP and internal newsgroups, you can allow transfer,
and still prevent people from outside your network from fetching
articles in your internal newsgroups). The NNTP daemon also logs
stuff out the wazoo (Phil and I believe very strongly in logging;
it allows you to figure out what's going on in lots of situations).
Most Internet sites, at our recommendation, allow anyone to do
transfer so that, among other things, if anyone needs to examine
a particular article at lots of sites, it's easy to do so (I've
done this upon occasion). However this all gets logged, so the only
way that the perpetrator of the "webber" sendsys can hope to escape
notice is if he is already at one of Rutgers' normal netnews feeds
(assuming s/he dropped it on Rutgers). At that point, someone will
have to examine the NNTP and news logs of Rutgers very closely, to
try and match the times that the articles got processed by netnews,
along with which remote sites were speaking NNTP to Rutgers at the
time.
If s/he sent the article to some other sites in that Path:, each
of those sites should examine their logs as well.
I want to expose the culprit to public ridicule - it was a rather
stupid and wasteful thing to do.
Erik E. Fair ucbvax!fair fair@ucbarpa.berkeley.eduwebber@aramis.rutgers.edu (Bob Webber) (07/04/88)
In article <4248@pasteur.Berkeley.Edu>, fair@ucbarpa.Berkeley.EDU (Erik E. Fair) writes: > In the referenced article, Bob.Webber@aramis.RUTGERS.EDU writes: > I am told that the messages were actually fed in at the > rutgers gateway itself via the joys of Eric Fair's nntp. > > First, I'd like to take this opportunity to correct Dr. Webber's > spelling. My name is "Erik", not "Eric". Write whatever you want > about me, but spell my name right! Hmmm. Maybe it wasn't you I was talking about then. But what the heck, you can add this to the list of typos that have appeared in my articles over the years and as a token of could faith, I have just typed repeat 10000 echo Erik Fair >/dev/blackboard > Second, NNTP is by no means mine. ... [acted as] "marketeer" for it. Well, since it is the use of nntp rather than the coding of nntp that is the basis of my opinions on nntp, maybe attributing it to you wasn't so far off. > Third, NNTP provides as much security as we thought was reasonably > useful, given that netnews itself has no authentication at all, > and no protection against forgeries. Actually, rather than pointing at the security of netnews, I thought you would base the lack of security of your protocol on the underlying lack of security in the networking system in general. After all, surely no one pretends that it is difficult to break into any arpa educational site and post as root. At one point last summer Henry Spencer was speaking about adding enough security to netnews to prevent people from posting into moderated groups, but apparently he gave up on that as a lost cause. With enough cpu, I guess we could run the whole net like Kerboros, but considering how well secretmail caught on, I wouldn't hold my breath [sorry to disappoint people on both sides of that ambiquity]. > Most Internet sites, at our recommendation, allow anyone to do > transfer so that, among other things, if anyone needs to examine > a particular article at lots of sites, it's easy to do so (I've > done this upon occasion). I am told rutgers doesn't do this because too many people were using the facility for their main feed -- nothing like being visible. > If s/he sent the article to some other sites in that Path:, each > of those sites should examine their logs as well. > > I want to expose the culprit to public ridicule - it was a rather > stupid and wasteful thing to do. As mentioned before, the sysadmin of rutgers (pleasant@aramis.rutgers.edu) claims to know who did it, but he is not interested in seeing the culprit exposed to public ridicule (although he knows who did it well enought to take revenge on them for the amount of junk mail this generated for him). He has told me that the intrusion did start from an nntp link into rutgers. So, I guess as long as he is willing to sit tight on the records, the rest of the backbone can claim to be united in a wish to track down the person involved. Who knows, maybe even a few people will believe them. ----- BOB (webber@athos.rutgers.edu ; rutgers!athos.rutgers.edu!webber)
henry@utzoo.uucp (Henry Spencer) (07/07/88)
> ... At one point last summer Henry > Spencer was speaking about adding enough security to netnews to > prevent people from posting into moderated groups, but apparently > he gave up on that as a lost cause... Not exactly. We know how to do it; it would present some operational problems but would not be impossibly difficult. The trouble is that it's a lot of work, and we're having enough trouble finding the time and energy needed to get C News tidied up and out the door as it is. -- Man is the best computer we can | Henry Spencer @ U of Toronto Zoology put aboard a spacecraft. --Von Braun | {ihnp4,decvax,uunet!mnetor}!utzoo!henry