Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!mit-eddie!ll-xn!ames!ucbcad!ucbvax!jade!eris!mwm
From: mwm@eris.BERKELEY.EDU (Mike (My watch has windows) Meyer)
Newsgroups: news.admin,misc.legal
Subject: Re: A challenge for those who believe that the network has security
Message-ID: <5610@jade.BERKELEY.EDU>
Date: Sat, 24-Oct-87 00:03:58 EST
Article-I.D.: jade.5610
Posted: Sat Oct 24 00:03:58 1987
Date-Received: Sun, 25-Oct-87 22:37:52 EST
References: <3974@watdcsu.waterloo.edu>
Sender: usenet@jade.BERKELEY.EDU
Reply-To: mwm@eris.BERKELEY.EDU (Mike (My watch has windows) Meyer)
Organization: Missionaria Phonibalonica
Lines: 103
Xref: mnetor news.admin:1243 misc.legal:3296

In article <3974@watdcsu.waterloo.edu> magore@watdcsu.waterloo.edu (Mike Gore, Institute Computer Research - ICR) writes:
<Hello All,
<	The current discussion has been whether it is _impossible_ or not to
<detect faked usenet articles - most recently re: <3947@watdcsu.waterloo.edu>
<
<	Here is a small part of the history log from watdcsu showing that 
<article 4000 doesn't exist - yet. No need to take my word for this as most 
[deleted - mwm]
<	It's obvious that the poster thus made a silly mistake in his attempt
<to fake the posting in question. 

It's not a silly mistake - it's required if the forgery is to go
anywhere. Since it never reaches the "originating" machine, it's
probable that the forgery wouldn't be detected until after the forged
messagle id had come into existence. With some care as to content,
it's even possible that the forgery won't be noticed until the forged
article had expired on most sites.

BTW, 4000@watdcsu.waterloo.edu does exist - everywhere but at watdcsu!
So when watdcsu generates that message id, it won't propogate. You
might want to do something about that.

<But rather then letting this issue get too clouded I would
<to say that my original observations were in regard to a statement that
<it was _impossible_ to detect faked articles.

You also said that it would be simple to determine where the forgery
_didn't_ come from, and that you could probably determine where it did
come form. [See attached forgery for the quote.] But now we hear:

<The importance of backtracking <4000@watdcsu.waterloo.edu> is very low.

The attitude "Yes, I can do it, but it isn't worth the effort in this
case" is one commonly found in charlatans. I don' think you're a
charlatan, I merely think you're wrong. You've got a test case here -
please prove you have the ability you claim you do.

On a more important note, I suspect that computer log files will be as
admissable in a court of law as audio tape recordings. Would one of
the lawyers on the net care to comment (mcb)?

	<mike


<David Herron [ amoung a few others ] was kind enough to 
<forward me the posting which follows:
<-------------------------------------------
<
<Path: ukma!rutgers!ho95e!homxb!ihnp4!cbosgd!clyde!watmath!watdcsu!magore
<From: "Mike Gore, Institute Computer Research - ICR" <magore@watdcsu.waterloo.edu>
<Newsgroups: news.admin,misc.legal
<Subject: A challenge for those who believe that the network has security
<Message-Id: <4000@watdcsu.waterloo.edu>
<Date: 18 Oct 87 20:34:25 GMT
<References: <3947@watdcsu.waterloo.edu>
<Reply-To: "Mike Gore, Institute Computer Research - ICR" <magore@watdcsu.waterloo.edu>
<Organization: U. of Waterloo, Ontario
<Lines: 22
<Xref: ukma news.admin:1123 misc.legal:2913
<Resent-Date:  Mon, 19 Oct 87 10:56:31 EDT
<Resent-From: david@e.ms.uky.edu
<Resent-To: magore@watdcsu.waterloo.edu
<Apparently-To: <@math.waterloo.edu:magore@watdcsu.waterloo.edu>
<Status: R
<
<Mike Gore asserts the following:
<
<> 	Yes you could by faking the header - BUT once the forged message
<> leaves your site it will leave a trail pointing back to you. Every site
<> you connect to will tack on it's own part of the full distribution path and
<> if enough people compare the results it would be simple to determine where
<> it _didn't_ come from by seeking a common root- and in many cases it would be 
<> possible to track it back to the actual poster _if_ that site keeps logs. If 
<> you do manage to post from several places at once you might cause problems 
<> with this method but there are other methods by using article numbers that 
<> further help to make undetected forgeries harder to do... 
<
<I challenge him to figure out where this article originated from,
<where it was inserted into the network, and who really wrote it in
<the first place. I believe that the network does not have sufficient
<audit trails to make this possible.
<
<And as a courtesy, someone ought to mail him a copy of this article;
<you see, as a consequence of the forgery method, his site will not
<get a copy.
<
<Of course, this might really be Mike Gore, arguing with himself...
<
<# Mike Gore 
<# Institute for Computer Research. ( watmath!mgvax!root - at home )
<# These ideas/concepts do not imply views held by the University of Waterloo.
<
<--
<<---- David Herron,  Local E-Mail Hack,  david@ms.uky.edu, david@ms.uky.csnet
<<----                    {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET
<<---- I thought that time was this neat invention that kept everything
<<---- from happening at once.  Why doesn't this work in practice?

--
Tell me how d'you get to be				Mike Meyer
As beautiful as that?					mwm@berkeley.edu
How did you get your mind				ucbvax!mwm
To tilt like your hat?					mwm@ucbjade.BITNET