Xref: utzoo news.sysadmin:1939 news.admin:4287 Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!nrl-cmf!ukma!rutgers!att!skep2!wcs From: wcs@skep2.ATT.COM (Bill.Stewart.[ho95c]) Newsgroups: news.sysadmin,news.admin Subject: Re: rnews: security hole. Too bad. Message-ID: <361@skep2.ATT.COM> Date: 13 Dec 88 17:27:09 GMT References: <1219@altger.UUCP> Reply-To: wcs@skep2.UUCP (46323-Bill.Stewart.[ho95c],2G218,x0705,) Organization: AT&T Bell Labs Center 4632, Holmdel, NJ Lines: 49 In article <1219@altger.UUCP> blue@altger.UUCP (blue) writes: : Well, it seems that UUCP &C. really lack on security.. : I just realized that a registered node on a unix system, which : is NOT authorized to get News of ANY kind, can on the contrary : SEND any news-message ANYWHERE on ANY distribution. : THIS IS REALLY AMAZING. : On ANY Bulletin Board Service new users are allowed to read : at least some message base, but cannot write messages. : Protection should be made on the POSTING of new messages. : Not only on the "sendbatch"! You seem to have a different understanding of what usenet is about than most of us do. There isn't some "big brother" government AUTHORIZING you to send and receive news; everyone's allowed to do what they want. (I realize Europe is slightly different because of billing for the trans- Atlantic link, and because your phone companies belong to the government.) If your site doesn't want to receive news, your administrators don't need to install the software to receive it. If your adminstrators don't want to receive a specific group, they can ask their news feed not to send it, or tell their software to reject messages they don't want. Posting is ok, and it's a good thing. If your site wants to reduce the amount of posting they do to reduce costs, fine. If they want to make it difficult to new users to post because they might look like fools if they talk before they've done some reading, fine. It's not hard to get those features. But otherwise, why protect posting? It's like arguing against free speech; if you don't like what people might say you enlighten them about how wrong they are, you don't prevent them from talking. Distributions have two main purposes: to reduce the volume of news transmitted around so people only pay to send/receive the news they want, and to allow private discussions to use netnews technology (e.g. within a company). The only security issues with distributions are making sure that all the machines that support your private-discussion group don't autimatically forward to machines that shouldn't receive it (easy) and making sure everyone who has access to those machines is allowed to read the news (tougher, especially if your company has contract-workers and other semi-employees on the machine, or if your machine supports TCP/IP without being careful about administration.) If you want to post an article to news.admin or talk.politics about "Car for Sale in Amsterdam", or "Gorbachev selling used missiles" it doesn't do any real harm, though it's annoying. This is just netnews, after all - you don't have to believe everything you read here. -- # Thanks; # Bill Stewart, AT&T Bell Labs 2G218 Holmdel NJ 201-949-0705 ho95c.att.com!wcs # # News. Don't ask me about News.