FAQ: Better living through forgery (Updated!)

FAQ: Better living through forgery (Updated!)

Post by J.D. Fa » Sat, 08 Jul 1995 04:00:00



In news.admin.policy, comp.admin.policy, comp.security.misc, alt.security,
        misc.legal.computing, news.admin.misc, news.groups.questions,
        news.groups, news.newusers.questions, alt.censorship,
        alt.comp.acad-freedom.talk, and alt.current-events.net-abuse,
        somebody who forges their messages and probably isn't actually

Quote:> PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.

        Heed that warning, even though the poster (David Lawrence or not)
doesn't really seem to care.  Forgery is not a joke.
        Forging messages basically breaks down the entire trust that
Usenet is based on, so DO NOT do it just to*people off -- you are
likely to succeed, and there are a great many ways to trace a forgery.

--

  |   "That article and its poster have been canceled."                  |
  |                      -David B. O'Donnell, Sysadmin, America OnLine   |
 ----========== http://www.*nothing.org/jdfalk/home.html ==========----

 
 
 

FAQ: Better living through forgery (Updated!)

Post by David Stodols » Sun, 09 Jul 1995 04:00:00



comp.security.misc,alt.security,misc.legal.computing,news.admin.misc,
news.groups.questions,news.groups,news.newusers.questions,alt.censorship,
alt.comp.acad-freedom.talk,alt.current-events.net-abuse),

Quote:> If you post a controversial article, such as this one or proprietary source
> code or threats to bomb Parliament,

No doubt to make a big hit in Canada:

--Subject: EFFector Online 08.11 * EFF Relocation; Cox/Wyden Bill; FBI sting--

Subject: Newsbytes
------------------

* USSS/RCMP Investigations and More Anti-Net Hysteria Generated by Hoax

Electronic Frontier Canada reports that both the Royal Canadian Mounted
Police and the US Secret Service launched into full-scale "bomb threat"
investigations, in response to a typical "anarchy file", giving dubious
information about car bombs, posted to a local Nova Scotia newsgroup,
because it mentioned the upcoming Halifax, NS G-7 summit.

Most readers would recognize the post as wry, if rather tasteless and
indiscrete, political humor, but the police took it seriously enough to
investigate to a dead end the apparent (but forged) email address of the
poster, and to "interview" a San Francisco man, Mike Johnson, who's
email address was mentioned in the body of the  message. Incidentally,
an associate of Johnson recently received a similar visit from the FBI
in connection with the UNABOMB investigations, following an anonymous
tip that the friend was the bomber himself - Johnson suspects both his
and his friend's email addresses were used by the same, unidentified,
prankster.

This might all be comical (except perhaps for Mike Johnson), were it not
for the grandstanding that would-be censors are doing, using the hoax as a
prop. As the efc-talk post reporting these events noted, "the Chairman of
the [Canadian] Information Highway Advisory Council, David Johnston,
couldn't resist mentioning the incident in a recent editorial in the
Montreal Gazette and Ottawa Citizen...Following early reports of the
'Halifax internet bomber', some have been quick to call for Internet
regulation to prevent foolish pranks like this. David Johnston...likes
to mention the recent Oklahoma bombing for extra emphasis."

One wonders if the boundary between fiction and reality seems more
permeable for some people than for others.

-- End EFFector Online 08.11 * EFF Relocation; Cox/Wyden Bill; FBI sting--


> the original ID and issue control messages with predictable new IDs like

> some innocuous messages using these predicted message-IDs shortly beforehand.
> Once these articles are in the news system, they will block posting of the
> attempted automatic cancels.  Then post your real message, and the
> autocancellers that use these original-ID permutations will fail to remove it!


avoids duplicate cancels, so coordination via a mail list is unnecessary.

Quote:

> PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.

Right, like bringing down the full weight of both the US and Canadian
Federal governments on the Net. <irony>

dss

David S. Stodolsky      Euromath Center     University of Copenhagen


 
 
 

FAQ: Better living through forgery (Updated!)

Post by Joerg Sommr » Sun, 09 Jul 1995 04:00:00





>>> PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.

>>        Heed that warning, even though the poster (David Lawrence or not)
>>doesn't really seem to care.  Forgery is not a joke.
>I'd hazzard to guess that it was NOT the real Dave Lawrence...  couple
>of errors which Dave wouldn't be caught dead doing (ie: the effort required
>to make those errors is more than to do it right) as well as a very odd
>Path:.

This article proofed it's own truth. If it was someone else
but Dave Lawrence who was faked, you might have trusted those headers.

This means: ``Be careful.'' It seems Usenet needs more security.

Jo
--
-rw-r--r--   1 jo       users          75 Jul  8 19:11 /home/jo/.signature

 
 
 

FAQ: Better living through forgery (Updated!)

Post by Jeffrey C. Oll » Sun, 09 Jul 1995 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----

J>
J> Forging messages basically breaks down the entire trust that
J> Usenet is based on, so DO NOT do it just to*people off -- you are
J> likely to succeed, and there are a great many ways to trace a forgery.

Which is why I have begun to PGP-sign my posts (even though I'm not as
tempting a target as others would be).  If more news and mail readers
would incorporate such technology, we wouldn't have this problem
(admittedly there would be others).  Sigh...

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface

iQCVAwUBL/4BcpwkOQz8sbZFAQH5CQP+JxECuPTdAprNJI7BTCrTv4F6acUasJhh
FpQsgXRjBejsyrftiaCHQS9bIoZ0O4bv90VXMjXQu11WbwP60xaq8oE/A32rFlz3
YlexdM0TVnzd/TTc3rILkwE3T1aCT+6KKIOQmaXGBfh/lUUCB3vF4bz0jrBM9pV7
9hTLUgXk0TY=
=LVme
-----END PGP SIGNATURE-----
--
Jeffrey C. Ollie
Iowa Network Services System Administrator

 
 
 

FAQ: Better living through forgery (Updated!)

Post by The R R M Twe » Sun, 09 Jul 1995 04:00:00




>> PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.

>    Heed that warning, even though the poster (David Lawrence or not)
>doesn't really seem to care.  Forgery is not a joke.

I'd hazzard to guess that it was NOT the real Dave Lawrence...  couple
of errors which Dave wouldn't be caught dead doing (ie: the effort required
to make those errors is more than to do it right) as well as a very odd
Path:.

Quote:>    Forging messages basically breaks down the entire trust that
>Usenet is based on, so DO NOT do it just to*people off -- you are
>likely to succeed, and there are a great many ways to trace a forgery.

I'd also guess that the person who did post this is trying to get
UUNet to close down their open access server.

--

**** Regarding the Internet><WWIVNet gateway and other assorted stuff: ****

 
 
 

FAQ: Better living through forgery (Updated!)

Post by Bill Stewart-Co » Sun, 09 Jul 1995 04:00:00




>I'd also guess that the person who did post this is trying to get
>UUNet to close down their open access server.

Or maybe it's an attempt to sully tale's reputation.

--
Bill Stewart-Cole
What is Stewart-Cole Consulting?
Hell if I know. I'll find out when I finish the web page.
If the above isn't PGP signed, I *might* not have written it.

 
 
 

FAQ: Better living through forgery (Updated!)

Post by Michael Shiel » Mon, 10 Jul 1995 04:00:00






> >I'd also guess that the person who did post this is trying to get
> >UUNet to close down their open access server.

> Or maybe it's an attempt to sully tale's reputation.

Or maybe they just picked a well-known name, like "Bill Clinton" would be.
--
Shields.
 
 
 

FAQ: Better living through forgery (Updated!)

Post by David C Lawren » Mon, 10 Jul 1995 04:00:00


        Anonymous netnews without "anonymous" remailers

Inspired by the recent "NetNews Judges-L" events, this file has been updated to cover forging control messages.  It is being posted periodically to address
the increasing trend of "how do I fake news?" questions from the lamers, and
the revelation that anonymous remailers are UNSAFE.  In addition to anonymous
posting, you can also do your own article canceling and create and destroy your
own newsgroups using the information presented here.

Save any news article to a file, with all the headers intact.  Then edit this
file, and remove any header lines of the form

        From some!random!path!user   (note: "From ", not "From: " !!)
        Article:
        Lines:
        Xref:

Shorten the Path: header down to its LAST two or three "bangized" components.
This is to make the article look like it was posted from where it really was
posted, and originally hit the net at or near the host you send it to.  Or
you can construct a completely new Path: line to reflect your assumed alias.

Make some change to the Message-ID: field, that isn't likely to be duplicated
anywhere.  This is usually best done by adding a couple of random characters to

field to generate these IDs.

Change the other headers to say what you like - From:, Newsgroups:, Sender:,
etc.  Replace the original message text with your message.  If you are posting
to a moderated group or posting a control message, remember to put in an
Approved: header to bypass the moderation mechanism.

To specifically cancel someone else's article, you need its message-ID.  Your
message headers, in addition to what's already there, should also contain the
following with that message-ID in it.  This makes it a "control message".
Control messages also require an Approved: header, so add one.




Newsgroups are created and destroyed with control messages, too.  If you
wanted to create, for instance, comp.misc.microsoft.sucks, your control
headers would look like

        Subject: cmsg newgroup comp.misc.microsoft.sucks
        Control: newgroup comp.misc.microsoft.sucks

Add on the string "moderated" at the end of these if you want the group to
be "moderated with no moderator" as with alt.hackers.  Somewhere in the
body of your message, you should include the following text, changed with
the description of the group you're creating:

        For your newsgroups file:
        comp.misc.microsoft.sucks               We don't do windows

To remove a group, substitute "rmgroup" for "newgroup" in the header lines
above.  Keep in mind that most sites run all "rmgroup" requests through
a human news-master, who may or may not decide to honor it.  Group creation
is more likely to be automatic than deletion at most installations.  Any
newsgroup changes are more likely to take effect if the come from me, since
my name is hardwired into many of the NNTP control scripts, so using the
From: and Approved: headers from this posting is recommended.

Save your changed article, check it to make sure it contains NO reference
to yourself or your own site, and send it to your favourite NNTP server that
permits transfers via the IHAVE command, using the following script:

=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server

if test "$2" = "" ; then
  echo usage: $0 filename server
  exit 1
fi
if test ! -f $1 ; then
  echo $1: not found
  exit 1
fi

# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
  sed 's/.*-[Ii][Dd]: //'`
echo $msgid

( sleep 5
  echo IHAVE $msgid
  sleep 5
  cat $1
  sleep 1
  echo "."
  sleep 1
  echo QUIT ) | telnet $2 119
=======================

If your article doesn't appear in a few hours, try a different server.
They are easy to find.  Here's a script that will break a large file
full of saved netnews into a list of hosts to try.  Edit the output
of this if you want, to remove obvious peoples' names and other trash.

=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================

Once you have your host list, feed it to the following script.

=======================
#! /bin/sh
while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
  sleep 5

  sleep 4
  echo .
  echo quit
  sleep 1
  echo quit
) | telnet
done
=======================

If the above script is called "findem" and you're using csh, you should do

        findem < list >& outfile

so that ALL output from telnet is captured.  This takes a long time, but when
it finishes, edit "outfile" and look for occurrences of "335".  These mark
answers from servers that might be willing to accept an article.  This isn't a
completely reliable indication, since some servers respond with acceptance and
later drop articles.  Try a given server with a slightly modified repeat of
someone else's message, and see if it eventually appears.

You may have to monitor the finding script a little while it is running, to
make sure one of the telnets does not hang for some reason.

You will notice other servers that don't necessarily accept an IHAVE, but
say "posting ok".  You can do regular POSTS through these, but they may add
an "NNTP-Posting-Host:" header containing the machine YOU came from and are
therefore unsuitable for completely anonymous use.

If you post a controversial article, such as this one or proprietary source
code or threats to bomb Parliament, you can be fairly sure that someone will
try to cancel it fairly quickly.  In fact, some people may have automatic
measures in place to detect and cancel articles that they didn't really post.
But these mechanisms are often automated enough that you can defeat them and
have your article stay in the news system a little longer.


the original ID and issue control messages with predictable new IDs like

some innocuous messages using these predicted message-IDs shortly beforehand.
Once these articles are in the news system, they will block posting of the
attempted automatic cancels.  Then post your real message, and the
autocancellers that use these original-ID permutations will fail to remove it!
Your blocker-postings do not have to go to `control'.  It does not matter which
newsgroups they go to, as long as they are in the news system somewhere.
Reposting a modified version of someone else's message is the subtlest way to
claim a message-ID.

This will not work, of course, if the canceller uses a new message ID, but
it is worth mentioning.  You may find the idea of cancel-ID prediction useful
if you are being victimized by someone else's cancelmoose.  Some autocancel


most common.

I probably need not say that if your article is REALLY controversial, attempts
will be made to backtrace its origin.  You should take appropriate measures
to cover your tracks.  Many organizations place their news servers outside
their firewalls and packet filters, so for instance with a source-routing
setup, you can pretend to be anyone.

We maintain an IHAVE-friendly host is right here: news.uu.net.  Feel free
to test these scripts through our server.

PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.

 
 
 

1. FAQ: Better living through forgery


This is terrible! In good ol' times, the ones who could forge at least
had to figure out what was RFC977, be able to write perl or shell or
expect scripts (whatever you like) and find an IHAVE-friendly server.
These people at least were educated enough to understand that they have
some responsibility. Now you post it to news.newusers.questions with all
scripts. Guess what will happen. Guess what will happen to news.??.net,
asshole.

YOU ARE A FUCKHEAD IRRESPONSIBLE MOTHERFUCKING BASTARD, FORGER!

2. What's on your Today?

3. Call 1-800-856-2469, LIVE LIVE LIVE 809-474-7588 code2224

4. help cd rom

5. Outpost free settings and NU Live Update

6. Announcement: New VPN Solution

7. Norton PF Live Update Problem

8. Problem with Balancing

9. live update problem

10. Private information on live updates

11. live microsoft updates

12. live updates vs. security patches