magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) (10/18/87)
Mike Gore asserts the following: > Yes you could by faking the header - BUT once the forged message > leaves your site it will leave a trail pointing back to you. Every site > you connect to will tack on it's own part of the full distribution path and > if enough people compare the results it would be simple to determine where > it _didn't_ come from by seeking a common root- and in many cases it would be > possible to track it back to the actual poster _if_ that site keeps logs. If > you do manage to post from several places at once you might cause problems > with this method but there are other methods by using article numbers that > further help to make undetected forgeries harder to do... I challenge him to figure out where this article originated from, where it was inserted into the network, and who really wrote it in the first place. I believe that the network does not have sufficient audit trails to make this possible. And as a courtesy, someone ought to mail him a copy of this article; you see, as a consequence of the forgery method, his site will not get a copy. Of course, this might really be Mike Gore, arguing with himself... # Mike Gore # Institute for Computer Research. ( watmath!mgvax!root - at home ) # These ideas/concepts do not imply views held by the University of Waterloo.
magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) (10/20/87)
Hello All, The current discussion has been whether it is _impossible_ or not to detect faked usenet articles - most recently re: <3947@watdcsu.waterloo.edu> - and others. I indicated that in many cases [ with exceptions outlined ] that it may be possible to actually narrow down where a faked article came from [ again with exceptions outlined ]. To contend this point someone faked a message in my name and challenged me to figure out where it came from. They used an article with ID <4000@watdcsu.waterloo.edu> Dated: 18 Oct 87 20:34:25... [ His posting included at the end of this article ] Here is a small part of the history log from watdcsu showing that article 4000 doesn't exist - yet. No need to take my word for this as most anyone can check it _if_ their site keeps history logs . [ ex: /usr/lib/history - on some machines ]: <3967@watdcsu.waterloo.edu> 10/17/87 23:11 rec.woodworking/278 <3969@watdcsu.waterloo.edu> 10/18/87 04:03 comp.sys.hp/257 <3970@watdcsu.waterloo.edu> 10/19/87 06:15 comp.sys.hp/258 <3971@watdcsu.waterloo.edu> 10/19/87 12:59 comp.sys.mac/7390 <3972@watdcsu.waterloo.edu> 10/19/87 13:16 ont.events/813 uw.talks/319 uw.grad.cs/2336 <3973@watdcsu.waterloo.edu> 10/19/87 16:21 sci.space/3234 sci.physics/2385 --- It's obvious that the poster thus made a silly mistake in his attempt to fake the posting in question. His mistake however underlines part of the false assumption that a few people have about the _ease_ of faking articles _undetected_. But rather then letting this issue get too clouded I would to say that my original observations were in regard to a statement that it was _impossible_ to detect faked articles. I knew that in some cases this would be true however I outlined a few such issues in earlier articles to attempt to avoid this misunderstanding. Now to avoid further confusion I should say that I feel that the claim that it is 'impossible' is in many ways as faulty as if someone had said that it is 'always possible'. I had considered as a premise the issue of the possible success of a determined forger _vs_ the possible success of a group of determined sysadmins [ or just everyday concerned people at widely diverse sites ]. By talking about possible case by case details and problems with each side of the issue we could very well end up leaving the overall issue untouched. My objections to the suggested easy of faking an article undetected are based on the premise of what _could_ be done rather then what _would_ be done. What would be done is determined by how important the case by case issue is and how many people care enough to act [ If the person affected has many friends who might email copies of the article in order to compare path headers etc...] The importance of backtracking <4000@watdcsu.waterloo.edu> is very low. So while there is nothing stopping someone from attempting to fake an article on the flip side there is also nothing stopping the affected person from posting a request for help [ hopefully they would ask for replies by email! ]. The _possibility_ that they could get caught is the main deterance - as long as people know that faking _isn't_ simple when faced with determined efforts of detection... David Herron [ amoung a few others ] was kind enough to forward me the posting which follows: ------------------------------------------- Path: ukma!rutgers!ho95e!homxb!ihnp4!cbosgd!clyde!watmath!watdcsu!magore From: "Mike Gore, Institute Computer Research - ICR" <magore@watdcsu.waterloo.edu> Newsgroups: news.admin,misc.legal Subject: A challenge for those who believe that the network has security Message-Id: <4000@watdcsu.waterloo.edu> Date: 18 Oct 87 20:34:25 GMT References: <3947@watdcsu.waterloo.edu> Reply-To: "Mike Gore, Institute Computer Research - ICR" <magore@watdcsu.waterloo.edu> Organization: U. of Waterloo, Ontario Lines: 22 Xref: ukma news.admin:1123 misc.legal:2913 Resent-Date: Mon, 19 Oct 87 10:56:31 EDT Resent-From: david@e.ms.uky.edu Resent-To: magore@watdcsu.waterloo.edu Apparently-To: <@math.waterloo.edu:magore@watdcsu.waterloo.edu> Status: R Mike Gore asserts the following: > Yes you could by faking the header - BUT once the forged message > leaves your site it will leave a trail pointing back to you. Every site > you connect to will tack on it's own part of the full distribution path and > if enough people compare the results it would be simple to determine where > it _didn't_ come from by seeking a common root- and in many cases it would be > possible to track it back to the actual poster _if_ that site keeps logs. If > you do manage to post from several places at once you might cause problems > with this method but there are other methods by using article numbers that > further help to make undetected forgeries harder to do... I challenge him to figure out where this article originated from, where it was inserted into the network, and who really wrote it in the first place. I believe that the network does not have sufficient audit trails to make this possible. And as a courtesy, someone ought to mail him a copy of this article; you see, as a consequence of the forgery method, his site will not get a copy. Of course, this might really be Mike Gore, arguing with himself... # Mike Gore # Institute for Computer Research. ( watmath!mgvax!root - at home ) # These ideas/concepts do not imply views held by the University of Waterloo. -- <---- David Herron, Local E-Mail Hack, david@ms.uky.edu, david@ms.uky.csnet <---- {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET <---- I thought that time was this neat invention that kept everything <---- from happening at once. Why doesn't this work in practice?
aeusemrs@csun.UUCP (Mike Stump) (10/22/87)
The > part was NOT written by magore. In article <4000@watdcsu.waterloo.edu> magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) writes: +--------------------------------- |Mike Gore asserts the following: | |> Yes you could by faking the header - BUT once the forged message |> leaves your site it will leave a trail pointing back to you. [true] | |I challenge him to figure out where this article originated from, |where it was inserted into the network, and who really wrote it in |the first place. I believe that the network does not have sufficient |audit trails to make this possible. | |And as a courtesy, someone ought to mail him a copy of this article[.] +--------------------------------- And it turns out you did; really, you should have let someone else send him the article. Too simple, it was from: david@ms.uky.edu (David Herron -- Resident E-mail Hack) at U of Kentucky, Mathematical Sciences You made it much to easy David, a little more work on you part, and it might have been a little harder. -- Mike Stump, Cal State Univ, Northridge Comp Sci Department uucp: {sdcrdcf, ihnp4, hplabs, ttidca, psivax, csustan}!csun!aeusemrs
flee@gondor.psu.edu (Felix Lee) (10/23/87)
In article <3974@watdcsu.waterloo.edu> magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) writes: > Here is a small part of the history log from watdcsu showing that >article 4000 doesn't exist - yet. [...] > It's obvious that the poster thus made a silly mistake in his attempt >to fake the posting in question. I think the faker should have used a larger number. As it is, if someone at watdcsu does post article 4000 within a month, it'll never reach psuvax1. If the poster had used 3974, I'd never have seen Mike Gore's posting. I agree that a completely undetectable fake is nearly impossible. (If it were perfect, would it be fake?) But it's easy to cause a great deal of confusion. Say I flood the net with bogus cancel messages from watdcsu, using every other article number from 3974 to 4100, and scattered random numbers up to 30000. Do you look at cancel messages in control? I'm curious. How easy is it to trace <4000@watdcsu.waterloo.edu>? Here are two paths, the local path and the one that Mike Gore posted. > Path: psuvax1!rutgers!ho95e!homxb!ihnp4!cbosgd!clyde!watmath!watdcsu!magore > Path: ukma!rutgers!ho95e!homxb!ihnp4!cbosgd!clyde!watmath!watdcsu!magore I wouldn't put too much significance to the fact that everything from rutgers to watdcsu is the same--a good portion of our news comes from rutgers over NNTP. The questions are: 1) where was it inserted; 2) what machine did it originate from; 3) what user faked the message; 4) what interface was used. If you're interested, send me your versions of the Path:. If you're one of the machines on the paths above, grep for <4000@watdcsu.waterloo.edu> in your history file and mail me the result. I'm almost afraid this will start off a contest of fake articles. Maybe someone should forge a 'newgroup news.fake' to contain them before it goes too far:-). -- Felix Lee flee@gondor.psu.edu {cbosgd,cmcl2}!psuvax1!gondor!flee To have a reason to get up in the morning, it is necessary to possess a guiding principle. A belief of some kind. A bumper sticker, if you will. [Judith Guest, Ordinary_People]
daveb@geac.UUCP (10/23/87)
In article <FORGED@watdcsu.waterloo.edu> BOGUS-near-clyde writes: >I challenge him (Mike Gore) to figure out where this article originated from, >where it was inserted into the network, and who really wrote it in >the first place. I believe that the network does not have sufficient >audit trails to make this possible. ># Mike Gore ># Institute for Computer Research. ( watmath!mgvax!root - at home ) ># These ideas/concepts do not imply views held by the University of Waterloo. This network not only has enough audit trails to trace back the author to a site/person having news capabilities at clyde, it also provides a subset of these audit trails to every recipient. The path taken to reach this site (2 hops away from watmath) was [pseudo-watmath] -> clyde -> cbosgd -> ihnp4 -> homxb -> ho95e -> rutgers -> husc6 -> uunet -> mnetor -> utzoo -> yetti -> geac Have a look at the usenet map... I usually talk to watmath via yetti. If the forger was particularly bright, he may have placed an arbitrarily long psuedo-path in front of the site he used to send the forgery, so it behooves the mail administrators of sites on this path to check their logs and news articles. --dave (hi mikey!) c-b -- David Collier-Brown. {mnetor|yetti|utgpu}!geac!daveb Geac Computers International Inc., | Computer Science loses its 350 Steelcase Road,Markham, Ontario, | memory (if not its mind) CANADA, L3R 1B3 (416) 475-0525 x3279 | every 6 months.
mwm@eris.BERKELEY.EDU (Mike (My watch has windows) Meyer) (10/24/87)
In article <3974@watdcsu.waterloo.edu> magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) writes:
<Hello All,
< The current discussion has been whether it is _impossible_ or not to
<detect faked usenet articles - most recently re: <3947@watdcsu.waterloo.edu>
<
< Here is a small part of the history log from watdcsu showing that
<article 4000 doesn't exist - yet. No need to take my word for this as most
[deleted - mwm]
< It's obvious that the poster thus made a silly mistake in his attempt
<to fake the posting in question.
It's not a silly mistake - it's required if the forgery is to go
anywhere. Since it never reaches the "originating" machine, it's
probable that the forgery wouldn't be detected until after the forged
messagle id had come into existence. With some care as to content,
it's even possible that the forgery won't be noticed until the forged
article had expired on most sites.
BTW, 4000@watdcsu.waterloo.edu does exist - everywhere but at watdcsu!
So when watdcsu generates that message id, it won't propogate. You
might want to do something about that.
<But rather then letting this issue get too clouded I would
<to say that my original observations were in regard to a statement that
<it was _impossible_ to detect faked articles.
You also said that it would be simple to determine where the forgery
_didn't_ come from, and that you could probably determine where it did
come form. [See attached forgery for the quote.] But now we hear:
<The importance of backtracking <4000@watdcsu.waterloo.edu> is very low.
The attitude "Yes, I can do it, but it isn't worth the effort in this
case" is one commonly found in charlatans. I don' think you're a
charlatan, I merely think you're wrong. You've got a test case here -
please prove you have the ability you claim you do.
On a more important note, I suspect that computer log files will be as
admissable in a court of law as audio tape recordings. Would one of
the lawyers on the net care to comment (mcb)?
<mike
<David Herron [ amoung a few others ] was kind enough to
<forward me the posting which follows:
<-------------------------------------------
<
<Path: ukma!rutgers!ho95e!homxb!ihnp4!cbosgd!clyde!watmath!watdcsu!magore
<From: "Mike Gore, Institute Computer Research - ICR" <magore@watdcsu.waterloo.edu>
<Newsgroups: news.admin,misc.legal
<Subject: A challenge for those who believe that the network has security
<Message-Id: <4000@watdcsu.waterloo.edu>
<Date: 18 Oct 87 20:34:25 GMT
<References: <3947@watdcsu.waterloo.edu>
<Reply-To: "Mike Gore, Institute Computer Research - ICR" <magore@watdcsu.waterloo.edu>
<Organization: U. of Waterloo, Ontario
<Lines: 22
<Xref: ukma news.admin:1123 misc.legal:2913
<Resent-Date: Mon, 19 Oct 87 10:56:31 EDT
<Resent-From: david@e.ms.uky.edu
<Resent-To: magore@watdcsu.waterloo.edu
<Apparently-To: <@math.waterloo.edu:magore@watdcsu.waterloo.edu>
<Status: R
<
<Mike Gore asserts the following:
<
<> Yes you could by faking the header - BUT once the forged message
<> leaves your site it will leave a trail pointing back to you. Every site
<> you connect to will tack on it's own part of the full distribution path and
<> if enough people compare the results it would be simple to determine where
<> it _didn't_ come from by seeking a common root- and in many cases it would be
<> possible to track it back to the actual poster _if_ that site keeps logs. If
<> you do manage to post from several places at once you might cause problems
<> with this method but there are other methods by using article numbers that
<> further help to make undetected forgeries harder to do...
<
<I challenge him to figure out where this article originated from,
<where it was inserted into the network, and who really wrote it in
<the first place. I believe that the network does not have sufficient
<audit trails to make this possible.
<
<And as a courtesy, someone ought to mail him a copy of this article;
<you see, as a consequence of the forgery method, his site will not
<get a copy.
<
<Of course, this might really be Mike Gore, arguing with himself...
<
<# Mike Gore
<# Institute for Computer Research. ( watmath!mgvax!root - at home )
<# These ideas/concepts do not imply views held by the University of Waterloo.
<
<--
<<---- David Herron, Local E-Mail Hack, david@ms.uky.edu, david@ms.uky.csnet
<<---- {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET
<<---- I thought that time was this neat invention that kept everything
<<---- from happening at once. Why doesn't this work in practice?
--
Tell me how d'you get to be Mike Meyer
As beautiful as that? mwm@berkeley.edu
How did you get your mind ucbvax!mwm
To tilt like your hat? mwm@ucbjade.BITNETedhall@randvax.UUCP (Ed Hall) (10/25/87)
Even if USENET were 100% secure (and it isn't), the computer systems it runs on generally aren't, and UUCP (frequently the transport mechanism for netnews) most certainly isn't. You might be able to trace the system a message came from, but so what? Was the posting user really the person whose account was used? Is the system which fed the article really who the next host down the line thought it was? Anyone attempting to mount a court case based on USENET postings would likely be countered with a battery of experts who will testify to these things. Of course, I think we generally agree that legal action would likely kill netnews, win or lose--in all probability, ``lose''. -Ed
mjr@osiris.UUCP (Marcus J. Ranum) (10/25/87)
It is simply not "efficient" to assume that the net is not secure and to track back the origin of every article that a reader has grounds to suspect as false. I'd say the best approach is to remember that usenet is not society with hard and fast rules, but rather an anarchy in which things like faked postings can happen. If people are aware that there's a potential problem, maybe they'll have enough sense to be sceptical when something odd shows up. --mjr(); -- If they think you're crude, go technical; if they think you're technical, go crude. I'm a very technical boy. So I get as crude as possible. These days, though, you have to be pretty technical before you can even aspire to crudeness... -Johnny Mnemonic
dmcanzi@watdcsu.UUCP (10/26/87)
The forger could have chosen a much larger article number or a much smaller article number, and there would have been no resulting risk of bona fide articles from watdcsu failing to propagate because of it. And such a forgery could probably go unnoticed. Do any people or software actually check for article numbers that are way out of sequence? I doubt it. The sequence number for news articles has been updated on watdcsu so that no innocent person will inadvertently post article 4000@watdcsu and have it fail to propagate. Article ID's 3979@watdcsu through 3999@watdcsu are available for anyone who wishes to forge them. -- David Canzi