Very Computer

This is a long message, partly because it is a complex question and partly
because I can never explain things succinctly.

I need some advice about a troublesome USENET forgery allegation.

  I got an e-mail through channels where a woman (A) who has nothing to do
with my agency was claiming that someone forged several posts to one of
those unmentionable alt.sex groups using her e-mail address.

She says her Internet provider traced the post to an IP address.  This IP
address belongs to an employee in my group (B).  Our newsreader does not
allow posts to any alt groups.  I do not want to confont B (or his direct
supervisor) until I know more about the situation.

There are lots of possibilities here, but I want some indication as to
which ones are likely or unlikely, and if there are other possibilities I
should consider.

1.  A is making the whole thing up, either to embarrass B or to embarrass
our agency.

2. B made an amateurish attempt to forge a post.

3.  C (an unknown person who knows A and B) created a double forgery,
listing the e-mail address of A and leaving an easily traced path to B.

4.  C (an unknown person who does not know A and B) wants to embarrass our
agency.

5. C (an unknown person who knows A but not B) uses a random IP address to
cover his/her tracks. (Is this really necessary?)

6.  D (a coworker of B) is up to no good and uses the computer of B to
cover his/her tracks.

Are there other possibilities I should consider?  What is a good way to
investigate this?  This is a minefield, and I want to tread carefully.

My apologies if this is the wrong newsgroup.  Please direct me to the
right spot if I am off topic.  I never expected to be handling situations
like this.  <sigh>

Standard disclaimer applies.

-----BEGIN PGP SIGNED MESSAGE-----

Does your system have any sort of audit trail, or temp file
that you can look at to see if the message was actually sent
by your user?  That's one option.

Have the alleged victim and her internet provider show you
the message she received and the trail it took through
the internet.  It's REAL easy to set an IP address to
someone else's.

If you can prove that your maillist software does not allow
posts to the alt. groups, that may be sufficient.
At the very least, you can use this incident to check the
security of your system

If you cannot find any proof that your user did not send
this message, you should ask him or her.  

Finally, the best protection a person can have against
these claims is to use PGP to digitally sign their
messages, as I am doing with this one.

Please keep me posted.  If we don't police ourselves,
Congress (the opposite of progress) will.

Tim Metzinger

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBL+4ejZpt8ZXoIrfpAQGPhAQAjF8nPm7xLSTeoRxnILvVPNvtJpkRELi+
4wZPE77SisQzB6I7oSs4WOXxxOGCzbcLZpRDP4Jpds8cs/1BBklLffx6n4LjfmnN
hc/5BnGdNzf5qinZ3Q94HjMNyM8No/qu9VuC1wZjoJtWpqZ8oUo+nq4HgFolsTE+
rwFZjXw3Rjc=
=F4IV
-----END PGP SIGNATURE-----

Actually this provides very little protection. The fact that you
routinely use PGP to sign messages does not prove that an unsigned
message did not come from you.

Unless you have sufficient hard information to prove that B committed the
offense other than just an IP address, forget it.  Anything you do will not
likely stand up in court should B decide to sue you.

I would recommend that you bring all your employees together along with someone
from security.  Then brief everyone on the policies of your organization to
include the possibility of dismissal for violation of the policies.  Make sure
that you have conferred with your human resources department and legal
department before proceeding.  Both HR and legal may suggest that everyone in
attendance sign a statement that they have been briefed and that they
understand what they were briefed on.

One particular problem is one of control -- how does your organization control
the use of computer resources? Does anyone have access after hours to anothers
resources? What about during the day -- does anyone care if someone else is
sitting behind another's terminal? If any of these are possible and if they do,
in fact, occur, proving anything is extremely difficult and will certainly
require close consultation with the legal and HR representatives.

Nick.

Thanks to all who responded (I got 7 private responses).  I will
investigate further, and if I come up with a definitive answer, I will
share it with this group.

?If you can prove that your maillist software does not allow
?posts to the alt. groups, that may be sufficient.
?At the very least, you can use this incident to check the
?security of your system

But how to prove that NNTP -connections to some news server was disabled.

I was impression that author of news server was confirmed from what IP
-address that connection come. And questioner said that that IP address
belong to (B).

Was that IP -address confirmed agaist logs of that news server?
If it was, then it is difficult to claim to be wrong.