Path: utzoo!attcan!uunet!husc6!rutgers!ucsd!ucbvax!pasteur!ucbarpa.Berkeley.EDU!fair From: fair@ucbarpa.Berkeley.EDU (Erik E. Fair) Newsgroups: news.admin Subject: NNTP, Security, and the "webber" sendsys Message-ID: <4248@pasteur.Berkeley.Edu> Date: 4 Jul 88 02:52:43 GMT References:Sender: news@pasteur.Berkeley.Edu Organization: USENET Protocol Police, Western Gateway Division Lines: 53 In the referenced article, Bob.Webber@aramis.RUTGERS.EDU writes: I am told that the messages were actually fed in at the rutgers gateway itself via the joys of Eric Fair's nntp. First, I'd like to take this opportunity to correct Dr. Webber's spelling. My name is "Erik", not "Eric". Write whatever you want about me, but spell my name right! Second, NNTP is by no means mine. Most of the work was done by Phil Lapsley, who wrote the daemon, and hacked up "rn" to be the first reader client. Brian Kantor wrote some software in a parallel effort, and he wrote nearly all of what became RFC977. I wrote the news transfer client, kibitzed a lot on the spec, and played "marketeer" for it. Several other people have written reader clients for operating systems other than UNIX (e.g. TOPS-20, VMS, Symbolics Lisp Machines, System V, MS/DOS, etc.) Third, NNTP provides as much security as we thought was reasonably useful, given that netnews itself has no authentication at all, and no protection against forgeries. The NNTP daemon can discriminate between sites, offering four levels of service: none (i.e. connection refused), transfer (they're allowed to give us articles, and fetch stuff by message-id), reader (they're allowed to give the group command, and fetch things by sequence number), and post (they're allowed to use the post command). Discrimination can be done on network, sub-network, or per-host basis, with distribution security (e.g. if you're a company on the internet with NNTP and internal newsgroups, you can allow transfer, and still prevent people from outside your network from fetching articles in your internal newsgroups). The NNTP daemon also logs stuff out the wazoo (Phil and I believe very strongly in logging; it allows you to figure out what's going on in lots of situations). Most Internet sites, at our recommendation, allow anyone to do transfer so that, among other things, if anyone needs to examine a particular article at lots of sites, it's easy to do so (I've done this upon occasion). However this all gets logged, so the only way that the perpetrator of the "webber" sendsys can hope to escape notice is if he is already at one of Rutgers' normal netnews feeds (assuming s/he dropped it on Rutgers). At that point, someone will have to examine the NNTP and news logs of Rutgers very closely, to try and match the times that the articles got processed by netnews, along with which remote sites were speaking NNTP to Rutgers at the time. If s/he sent the article to some other sites in that Path:, each of those sites should examine their logs as well. I want to expose the culprit to public ridicule - it was a rather stupid and wasteful thing to do. Erik E. Fair ucbvax!fair fair@ucbarpa.berkeley.edu