Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!aramis.rutgers.edu!webber From: webber@aramis.rutgers.edu (Bob Webber) Newsgroups: news.admin Subject: Re: NNTP, Security, and the "webber" sendsys Message-ID:Date: 4 Jul 88 07:25:41 GMT References: <4248@pasteur.Berkeley.Edu> Organization: Rutgers Univ., New Brunswick, N.J. Lines: 60 To: fair@ucbarpa.berkeley.edu webber@aramis.rutgers.edu In article <4248@pasteur.Berkeley.Edu>, fair@ucbarpa.Berkeley.EDU (Erik E. Fair) writes: > In the referenced article, Bob.Webber@aramis.RUTGERS.EDU writes: > I am told that the messages were actually fed in at the > rutgers gateway itself via the joys of Eric Fair's nntp. > > First, I'd like to take this opportunity to correct Dr. Webber's > spelling. My name is "Erik", not "Eric". Write whatever you want > about me, but spell my name right! Hmmm. Maybe it wasn't you I was talking about then. But what the heck, you can add this to the list of typos that have appeared in my articles over the years and as a token of could faith, I have just typed repeat 10000 echo Erik Fair >/dev/blackboard > Second, NNTP is by no means mine. ... [acted as] "marketeer" for it. Well, since it is the use of nntp rather than the coding of nntp that is the basis of my opinions on nntp, maybe attributing it to you wasn't so far off. > Third, NNTP provides as much security as we thought was reasonably > useful, given that netnews itself has no authentication at all, > and no protection against forgeries. Actually, rather than pointing at the security of netnews, I thought you would base the lack of security of your protocol on the underlying lack of security in the networking system in general. After all, surely no one pretends that it is difficult to break into any arpa educational site and post as root. At one point last summer Henry Spencer was speaking about adding enough security to netnews to prevent people from posting into moderated groups, but apparently he gave up on that as a lost cause. With enough cpu, I guess we could run the whole net like Kerboros, but considering how well secretmail caught on, I wouldn't hold my breath [sorry to disappoint people on both sides of that ambiquity]. > Most Internet sites, at our recommendation, allow anyone to do > transfer so that, among other things, if anyone needs to examine > a particular article at lots of sites, it's easy to do so (I've > done this upon occasion). I am told rutgers doesn't do this because too many people were using the facility for their main feed -- nothing like being visible. > If s/he sent the article to some other sites in that Path:, each > of those sites should examine their logs as well. > > I want to expose the culprit to public ridicule - it was a rather > stupid and wasteful thing to do. As mentioned before, the sysadmin of rutgers (pleasant@aramis.rutgers.edu) claims to know who did it, but he is not interested in seeing the culprit exposed to public ridicule (although he knows who did it well enought to take revenge on them for the amount of junk mail this generated for him). He has told me that the intrusion did start from an nntp link into rutgers. So, I guess as long as he is willing to sit tight on the records, the rest of the backbone can claim to be united in a wish to track down the person involved. Who knows, maybe even a few people will believe them. ----- BOB (webber@athos.rutgers.edu ; rutgers!athos.rutgers.edu!webber)