gam@amdahl.UUCP (G A Moffett) (06/11/86)
We received what must have been dozens of articles, alledgedly from
david@ukma.UUCP, which produced the following in our log file:
Jun 10 19:24 hplabs.hplabs.UUCP received <Davids.Hack.8711@ukma.UUCP> ng net.general.ctl subj 'forged cancel cmsg -- flames to david@ukma.UUCP'
Jun 10 19:24 hplabs.hplabs.UUCP from dobro@ulowell.UUCP (Chet Dobro) relay version B 2.10.3 4.3bsd-beta 6/6/85; site hplabs.hplabs.UUCP
Jun 10 19:24 hplabs.hplabs.UUCP Ctl Msg net.general.ctl from hplabs!sdcrdcf!burdvax!psuvax1!psuvm.bitnet!ukma!david: cancel <41@mirror.mirror.UUCP>
Jun 10 19:24 hplabs.hplabs.UUCP linecount expected 1, got 2
Jun 10 19:24 hplabs.hplabs.UUCP waiting on lock for /tmp/L<davids.hack.8712@ukma.uucp>
Jun 10 19:25 hplabs.hplabs.UUCP waiting on lock for /tmp/L<davids.hack.8712@ukma.uucp>
Jun 10 19:26 hplabs.hplabs.UUCP waiting on lock for /tmp/L<davids.hack.8712@ukma.uucp>
... and so on. It's main side effect appeared to be forcing pointless
(but finite) looping in rnews. Fortunately the looping was spent
mostly in sleep(3)ing, but the many articles -- a few dozen at least --
forced rnews to sleep so long that uuxqt forgot about it (the LCK.XQT
file wasn't updated).
I am not plannig to flame david@ukma for this. At least until further
evidence is provided, I doubt that this was his work. He is an UUCP
Admin at the University of Kentucky, according to the Usenet/UUCP maps,
and I can imagine what sort of cute pranks like this bored college
hackers would love to try, blaming a convienient target. The prior
article found in the 'control' newsgroup was also from david@ukma.UUCP
so perhaps that was the source of an article which the pranksers
forged.
I don't know what the trick was to posting this article, but it is
a terrible warning about what sort of power the network has
via rnews. It took a moderately panicked seach to determine
what the true cause was, but I didn't find this article in the
spool directory. It wasn't until I killed *all* uuxqts (there were
three at that point) and deleted all incoming news that this
ridiculous stream of prankish articles and the problem went away
(or so it seems ...).
What did other sites do? Or are you aware that this ``bug'' exists?
(do you have more than one uuxqt running now?).
I do not yet have a patch to rnews to prevent this problem (I don't
know exactly what to prevent). But look, ye, and weep: all
your systems are vulnerable to potentially damaging (to netnews,
at least) pranks.
And to think we haven't even gotten rid of the line eater ....
--
_G_o_r_d_o_n _A. _M_o_f_f_e_t_t ...!{ihnp4,seismo,hplabs}!amdahl!gam
Inferior people should not be employed.
--
[ This does not represent Amdahl Corporation ]csg@pyramid.UUCP (Carl S. Gutekunst) (06/12/86)
In article <3344@amdahl.UUCP> gam@amdahl.UUCP (G A Moffett) writes: >We received what must have been dozens of articles, alledgedly from >david@ukma.UUCP, which produced the following in our log file: It's not a prank. David explained what he was planning to do in a net.news posting a couple of days ago. He forged cancel messages for approximately 60 duplicate articles that splattered over the net when mirror's news/notes gateway hiccupped. I agree with his actions, but his implementation was awful: >I do not yet have a patch to rnews to prevent this problem (I don't >know exactly what to prevent). The problem is the Article-ID's were not unique within 14 characters. This is technically legal, but causes grave disorder on System V news sites. Your basic point -- it's easy to fake cancel messages -- is very true, and always has been. In my year on the net this blatant security hole has been abused only once: a vigilante SA did some "retroactive moderation" of net.sources. At the time it was suggested that rnews be changed to ignore cancel messages. After some thought (and a recent experience with an employee who was abusing the net) I disagree. While anyone could conceivably cancel the entire net, I still feel the ability to take back one's words is worth the risk. I'm open to other opinions.... <csg>
grr@cbmvax.cbm.UUCP (George Robbins) (06/12/86)
In article <3344@amdahl.UUCP> gam@amdahl.UUCP (G A Moffett) writes: > >We received what must have been dozens of articles, alledgedly from >david@ukma.UUCP, which produced the following in our log file: > >Jun 10 19:24 hplabs.hplabs.UUCP received <Davids.Hack.8711@ukma.UUCP> ng net.general.ctl subj 'forged cancel cmsg -- flames >... and so on. It's main side effect appeared to be forcing pointless >(but finite) looping in rnews. Fortunately the looping was spent >mostly in sleep(3)ing, but the many articles -- a few dozen at least -- >forced rnews to sleep so long that uuxqt forgot about it (the LCK.XQT >file wasn't updated). > >I am not plannig to flame david@ukma for this. At least until further >evidence is provided, I doubt that this was his work. He is an UUCP >Admin at the University of Kentucky, according to the Usenet/UUCP maps, >and I can imagine what sort of cute pranks like this bored college >hackers would love to try, blaming a convienient target. The prior >article found in the 'control' newsgroup was also from david@ukma.UUCP >so perhaps that was the source of an article which the pranksers >forged. > >What did other sites do? Or are you aware that this ``bug'' exists? >(do you have more than one uuxqt running now?). These messages went down smoothly here. No, this was not a prank - Dave was canceling the 30 some spurious posting to net.general that seeped of notes at mirror the other day. Now canceling someone else's messages netwide isn't normally a kosher sort of thing, which is why the messages indicated that they were forged. I guess he could have stated his intent a little more clearly though... -- George Robbins - now working with, uucp: {ihnp4|seismo|caip}!cbmvax!grr but no way officially representing arpa: cbmvax!grr@seismo.css.GOV Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)
gam@amdahl.UUCP (G A Moffett) (06/12/86)
I had read the earlier articles warning of these articles I had complained
about. I did not make the connection later, though, between those
articles and the chaos it put our UUCP system in.
However, the negative consequences of these articles was not warned
about -- or, better put: I didn't see such warnings about these
articles.
In any case I withdraw the original article to which this is a followup.
I made a mistake. I misinterpreted what I observed.
--
_G_o_r_d_o_n _A. _M_o_f_f_e_t_t ...!{ihnp4,seismo,hplabs}!amdahl!gamlevy@ttrdc.UUCP (Daniel R. Levy) (06/15/86)
In article <460@pyramid.UUCP>, csg@pyramid.UUCP writes: > >At the time it was suggested that rnews be changed to ignore cancel messages. >After some thought (and a recent experience with an employee who was abusing >the net) I disagree. While anyone could conceivably cancel the entire net, I >still feel the ability to take back one's words is worth the risk. > >I'm open to other opinions.... > ><csg> Would someone please tell me how I would invoke 'inews' (what arguments, and what stdin) if I wished to send out more than one cancel message on an article of my own which I wished to retract for some reason? I have attempted to send out multiple cancel messages at one time (from readnews, NOT by invoking inews bare) but as soon as one succeeds in deleting the local copy of the message, the others exit with a diagnostic "Can't open [filename which contained my article] (r)." (I once captured the arguments that inews was using by doing a quick 'ps -f' after doing such a cancel and getting out of readnews at once, but my attempt to repeat the same invocation of inews bare drew the same diagnostic of "Can't open...", though I was able to use that invocation on a net.test article which I had not canceled, with /dev/null as stdin. E.g.: #this works: $ inews -t cmsg cancel '<970@ttrdc.UUCP>' -n net.test < /dev/null #do it again later, it bombs: $ inews -t cmsg cancel '<970@ttrdc.UUCP>' -n net.test < /dev/null inews: Cannot open /netnews/spool/net/test/909 (r). I am not a sys admin on the system I get netnews on (cannot log in as root or as netnews) and do not have easy access/influence :-) over those who do. I do __NOT!!!!!__ have the inews source code so please don't tell me to look at the source unless you mail it to me in its entirety. I have heard of people sending out multiple cancel messages but my feeble attempt at doing so never seems to get out more than one such message, which might be ignored because a system hasn't yet gotten my article before it gets my cancel (and if that happens, is the cancel passed along anyway, or is it killed at that point? I was never quite sure). Please assist. Sometimes in spite of my better intentions my fingers develop a mind of their own, it seems :-). TIA, adTHANKSvance, muchos gracias. -- ------------------------------- Disclaimer: The views contained herein are | dan levy | yvel nad | my own and are not at all those of my em- | an engihacker @ | ployer or the administrator of any computer | at&t computer systems division | upon which I may hack. | skokie, illinois | -------------------------------- Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, vax135}!ttrdc!levy