Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!hao!oddjob!gargoyle!ihnp4!cbosgd!clyde!watmath!watdcsu!magore From: magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) Newsgroups: news.admin,misc.legal Subject: Re: A challenge for those who believe that the network has security Message-ID: <3974@watdcsu.waterloo.edu> Date: Mon, 19-Oct-87 18:29:51 EDT Article-I.D.: watdcsu.3974 Posted: Mon Oct 19 18:29:51 1987 Date-Received: Fri, 23-Oct-87 01:23:23 EDT Organization: U of Waterloo, Ontario Lines: 107 Xref: mnetor news.admin:1212 misc.legal:3205 Hello All, The current discussion has been whether it is _impossible_ or not to detect faked usenet articles - most recently re: <3947@watdcsu.waterloo.edu> - and others. I indicated that in many cases [ with exceptions outlined ] that it may be possible to actually narrow down where a faked article came from [ again with exceptions outlined ]. To contend this point someone faked a message in my name and challenged me to figure out where it came from. They used an article with ID <4000@watdcsu.waterloo.edu> Dated: 18 Oct 87 20:34:25... [ His posting included at the end of this article ] Here is a small part of the history log from watdcsu showing that article 4000 doesn't exist - yet. No need to take my word for this as most anyone can check it _if_ their site keeps history logs . [ ex: /usr/lib/history - on some machines ]: <3967@watdcsu.waterloo.edu> 10/17/87 23:11 rec.woodworking/278 <3969@watdcsu.waterloo.edu> 10/18/87 04:03 comp.sys.hp/257 <3970@watdcsu.waterloo.edu> 10/19/87 06:15 comp.sys.hp/258 <3971@watdcsu.waterloo.edu> 10/19/87 12:59 comp.sys.mac/7390 <3972@watdcsu.waterloo.edu> 10/19/87 13:16 ont.events/813 uw.talks/319 uw.grad.cs/2336 <3973@watdcsu.waterloo.edu> 10/19/87 16:21 sci.space/3234 sci.physics/2385 --- It's obvious that the poster thus made a silly mistake in his attempt to fake the posting in question. His mistake however underlines part of the false assumption that a few people have about the _ease_ of faking articles _undetected_. But rather then letting this issue get too clouded I would to say that my original observations were in regard to a statement that it was _impossible_ to detect faked articles. I knew that in some cases this would be true however I outlined a few such issues in earlier articles to attempt to avoid this misunderstanding. Now to avoid further confusion I should say that I feel that the claim that it is 'impossible' is in many ways as faulty as if someone had said that it is 'always possible'. I had considered as a premise the issue of the possible success of a determined forger _vs_ the possible success of a group of determined sysadmins [ or just everyday concerned people at widely diverse sites ]. By talking about possible case by case details and problems with each side of the issue we could very well end up leaving the overall issue untouched. My objections to the suggested easy of faking an article undetected are based on the premise of what _could_ be done rather then what _would_ be done. What would be done is determined by how important the case by case issue is and how many people care enough to act [ If the person affected has many friends who might email copies of the article in order to compare path headers etc...] The importance of backtracking <4000@watdcsu.waterloo.edu> is very low. So while there is nothing stopping someone from attempting to fake an article on the flip side there is also nothing stopping the affected person from posting a request for help [ hopefully they would ask for replies by email! ]. The _possibility_ that they could get caught is the main deterance - as long as people know that faking _isn't_ simple when faced with determined efforts of detection... David Herron [ amoung a few others ] was kind enough to forward me the posting which follows: ------------------------------------------- Path: ukma!rutgers!ho95e!homxb!ihnp4!cbosgd!clyde!watmath!watdcsu!magore From: "Mike Gore, Institute Computer Research - ICR" Newsgroups: news.admin,misc.legal Subject: A challenge for those who believe that the network has security Message-Id: <4000@watdcsu.waterloo.edu> Date: 18 Oct 87 20:34:25 GMT References: <3947@watdcsu.waterloo.edu> Reply-To: "Mike Gore, Institute Computer Research - ICR" Organization: U. of Waterloo, Ontario Lines: 22 Xref: ukma news.admin:1123 misc.legal:2913 Resent-Date: Mon, 19 Oct 87 10:56:31 EDT Resent-From: david@e.ms.uky.edu Resent-To: magore@watdcsu.waterloo.edu Apparently-To: <@math.waterloo.edu:magore@watdcsu.waterloo.edu> Status: R Mike Gore asserts the following: > Yes you could by faking the header - BUT once the forged message > leaves your site it will leave a trail pointing back to you. Every site > you connect to will tack on it's own part of the full distribution path and > if enough people compare the results it would be simple to determine where > it _didn't_ come from by seeking a common root- and in many cases it would be > possible to track it back to the actual poster _if_ that site keeps logs. If > you do manage to post from several places at once you might cause problems > with this method but there are other methods by using article numbers that > further help to make undetected forgeries harder to do... I challenge him to figure out where this article originated from, where it was inserted into the network, and who really wrote it in the first place. I believe that the network does not have sufficient audit trails to make this possible. And as a courtesy, someone ought to mail him a copy of this article; you see, as a consequence of the forgery method, his site will not get a copy. Of course, this might really be Mike Gore, arguing with himself... # Mike Gore # Institute for Computer Research. ( watmath!mgvax!root - at home ) # These ideas/concepts do not imply views held by the University of Waterloo. -- <---- David Herron, Local E-Mail Hack, david@ms.uky.edu, david@ms.uky.csnet <---- {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET <---- I thought that time was this neat invention that kept everything <---- from happening at once. Why doesn't this work in practice?