FAQ: Better living through forgery

4 views
Skip to first unread message

Computer User

unread,
Jun 10, 1995, 3:00:00 AM6/10/95
to
IN A FORGED MESSAGE ta...@uunet.uu.net (David C Lawrence) wrote:
> Anonymous netnews without "anonymous" remailers
>

This is terrible! In good ol' times, the ones who could forge at least
had to figure out what was RFC977, be able to write perl or shell or
expect scripts (whatever you like) and find an IHAVE-friendly server.
These people at least were educated enough to understand that they have
some responsibility. Now you post it to news.newusers.questions with all
scripts. Guess what will happen. Guess what will happen to news.??.net,
asshole.

YOU ARE A FUCKHEAD IRRESPONSIBLE MOTHERFUCKING BASTARD, FORGER!

Will Spencer

unread,
Jun 10, 1995, 3:00:00 AM6/10/95
to

Ever wonder who you are flaming???

David C. Lawrence is the moderator of news.announce.newgroups, the
ultimate arbiter and auditor of RFD/CFV/Newgroup-Rmgroup procedures on
mainstream hierarchies, and thus the de-facto czar of mainstream
Usenet. Basically, in news.*, misc.*, soc.*, talk.*, comp.*, and sci.*,
he is the one who determines authoritatively what is and what is not a
valid newsgroup.

--
/* Will Spencer / Voyager : The advancement and diffusion */
/* Member: TNO, The New Order : of knowledge is the only */
/* alt.2600/#hack FAQ Editor : guardian of true liberty. */
/* Writer, poet, hacker, human : -- James Madison */

David C Lawrence

unread,
Jun 10, 1995, 3:00:00 AM6/10/95
to
Anonymous netnews without "anonymous" remailers

Inspired by the recent "NetNews Judges-L" events, this file has been updated to cover forging control messages. It is being posted periodically to address
the increasing trend of "how do I fake news?" questions from the lamers, and
the revelation that anonymous remailers are UNSAFE. In addition to anonymous
posting, you can also do your own article canceling and create and destroy your
own newsgroups using the information presented here.

Save any news article to a file. We'll call it "hak" in this example.

Edit "hak", and remove any header lines of the form

From some!random!path!user (note: "From ", not "From: " !!)
Article:
Lines:
Xref:

Shorten the Path: header down to its LAST two or three "bangized" components.
This is to make the article look like it was posted from where it really was
posted, and originally hit the net at or near the host you send it to. Or
you can construct a completely new Path: line to reflect your assumed alias.

Make some change to the Message-ID: field, that isn't likely to be duplicated
anywhere. This is usually best done by adding a couple of random characters to
the part before the @, since news posting programs generally use a fixed-length
field to generate these IDs.

Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc. Replace the original message text with your message. If you are
posting to a moderated group or posting a control message, remember to put in
an Approved: header to bypass the moderation mechanism.

To specifically cancel someone else's article, you need its message-ID. Your
message headers, in addition to what's already there, should also contain the
following with that message-ID in it. This makes it a "control message".
NOTE: control messages generally require an Approved: header as well, so
you should add one.

Subject: cmsg cancel <xb8...@twits.site.com>
Control: cancel <xb8...@twits.site.com>
Approved: lu...@twits.site.com

Newsgroups are created and destroyed with control messages, too. If you
wanted to create, for instance, comp.misc.microsoft.sucks, your control
headers would look like

Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks

Add on the string "moderated" at the end of these if you want the group to
be "moderated with no moderator" as with alt.hackers. Somewhere in the
body of your message, you should include the following text, changed with
the description of the group you're creating:

For your newsgroups file:
comp.misc.microsoft.sucks We don't do windows

To remove a group, substitute "rmgroup" for "newgroup" in the header lines
above. Keep in mind that most sites run all "rmgroup" requests through
a human news-master, who may or may not decide to honor it. Group creation
is more likely to be automatic than deletion at most installations. Any
newsgroup changes are more likely to take effect if the come from me, since
my name is hardwired into many of the NNTP control scripts, so using the
From: and Approved: headers from this posting is recommended.

Save your changed article, check it to make sure it contains NO reference
to yourself or your own site, and send it to your favourite NNTP server that
permits transfers via the IHAVE command, using the following script:

=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server

if test "$2" = "" ; then
echo usage: $0 filename server
exit 1
fi
if test ! -f $1 ; then
echo $1: not found
exit 1
fi

# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
sed 's/.*-[Ii][Dd]: //'`
echo $msgid

( sleep 5
echo IHAVE $msgid
sleep 5
cat $1
sleep 1
echo "."
sleep 1
echo QUIT ) | telnet $2 119
=======================

If your article doesn't appear in a day or two, try a different server.
They are easy to find. Here's a script that will break a large file
full of saved netnews into a list of hosts to try. Edit the output
of this if you want, to remove obvious peoples' names and other trash.

=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================

Once you have your host list, feed it to the following script.

=======================
#! /bin/sh

while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
sleep 5
echo ihave IamS...@podunk.edu
sleep 4
echo .
echo quit
sleep 1
echo quit
) | telnet
done
=======================

If the above script is called "findem" and you're using csh, you should do

findem < list >& outfile

so that ALL output from telnet is captured. This takes a long time, but when
it finishes, edit "outfile" and look for occurrences of "335". These mark
answers from servers that might be willing to accept an article. This isn't a
completely reliable indication, since some servers respond with acceptance and
later drop articles. Try a given server with a slightly modified repeat of
someone else's message, and see if it eventually appears.

Sometimes the telnets get into an odd state, and freeze, particularly when
a host is refusing NNTP connections. If you manually kill these hung telnet
processes but not the main script, the script will continue on. In other
words, you may have to monitor the finding script a little while it is
running.

You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok". You can probably do regular POSTS through these, but they
will add an "NNTP-Posting-Host: " header containing the machine YOU came from
and are therefore unsuitable for completely anonymous use.

We maintain an IHAVE-friendly host is right here -- news.uu.net. Feel free
to test these scripts through our server.

PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.


Michael Shields

unread,
Jun 11, 1995, 3:00:00 AM6/11/95
to
In article <will.802830123@rainbow>,

Will Spencer <wi...@rainbow.rmii.com> wrote:
> Ever wonder who you are flaming???
>
> David C. Lawrence is the moderator of news.announce.newgroups, the

I don't see a sequitur here.
--
Shields.

Peter Vorobieff

unread,
Jun 11, 1995, 3:00:00 AM6/11/95
to
In article <will.802830123@rainbow>, wi...@rainbow.rmii.com spake thusly:

>
> Us...@127.0.0.1 (Computer User) writes:
> >IN A FORGED MESSAGE ta...@uunet.uu.net (David C Lawrence) wrote:
> >> Anonymous netnews without "anonymous" remailers
> >>
> >This is terrible! [snip]

>Ever wonder who you are flaming???
>
>David C. Lawrence is the moderator of news.announce.newgroups, the

[snip]

YHBT. HAND.
--
Thus spake Kalmoth the Vile, Slayer of One Robot and Seven Pigs.
DISCLAIMER: Opinions expressed in the article above, if any, are channeled from
the Fungi of Yuggoth and do not necessarily represent the views of
my other employers.


Daniel Hartung

unread,
Jun 11, 1995, 3:00:00 AM6/11/95
to
Will Spencer <wi...@rainbow.rmii.com> wrote:
> Us...@127.0.0.1 (Computer User) writes:
> >IN A FORGED MESSAGE ta...@uunet.uu.net (David C Lawrence) wrote:
> >> Anonymous netnews without "anonymous" remailers
> >>
> >This is terrible! In good ol' times, the ones who could forge at least
[snip]

> >YOU ARE A FUCKHEAD IRRESPONSIBLE MOTHERFUCKING BASTARD, FORGER!
>
>Ever wonder who you are flaming???
>
>David C. Lawrence is the moderator of news.announce.newgroups, the
>ultimate arbiter and auditor of RFD/CFV/Newgroup-Rmgroup procedures on
>mainstream hierarchies, and thus the de-facto czar of mainstream
>Usenet. Basically, in news.*, misc.*, soc.*, talk.*, comp.*, and sci.*,
>he is the one who determines authoritatively what is and what is not a
>valid newsgroup.

Uh, for your benefit, here is the message ID from the
Better Living thru Forgery "FAQ":

>Message-ID: <StUPi...@uunet.uu.net>

--
Daniel A. Hartung | Usenet now has an Arts/Humanities hierarchy!
dhar...@mcs.com |
dhar...@chinet.chinet.com | Look for "humanities.misc" at your site soon!
http://www.mcs.net/~dhartung/ |

Marina Chong

unread,
Jun 11, 1995, 3:00:00 AM6/11/95
to
wi...@rainbow.rmii.com (Will Spencer) wrote:

> Us...@127.0.0.1 (Computer User) writes:
> >IN A FORGED MESSAGE ta...@uunet.uu.net (David C Lawrence) wrote:
> >> Anonymous netnews without "anonymous" remailers
> >>

[snip]

> >YOU ARE A FUCKHEAD IRRESPONSIBLE MOTHERFUCKING BASTARD, FORGER!

>Ever wonder who you are flaming???
>
>David C. Lawrence is the moderator of news.announce.newgroups, the
>ultimate arbiter and auditor of RFD/CFV/Newgroup-Rmgroup procedures on
>mainstream hierarchies, and thus the de-facto czar of mainstream
>Usenet. Basically, in news.*, misc.*, soc.*, talk.*, comp.*, and sci.*,
>he is the one who determines authoritatively what is and what is not a
>valid newsgroup.
>

For your info:

tale DID NOT write the original message. The address is *forged*.

The forger posted a nearly identical message some weeks ago.

"Computer user" was flaming the impersonator.

Hope that helps.

HAND.


--
Marina S Y Chong mar...@singnet.com.sg
-------------------------------------------------------------------------
Cults+Conspiracies+Scams+Crimes+Clams! What do these add up to?
Read alt.religion.scientology and find out!
Save the Rev! Support the Dennis Erlich Defense Fund
David Dennis' WWW page> http://amazing.cinenet.net/scientology.html
Ron Newman's WWW page> http://www.mit.edu:8001/people/rnewman/home.html
-------------------------------------------------------------------------


TomasZ

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
Man oh man...

I'm no saint, but some people...

Sheesh!

I strongly suggest that some people try to use a dictionary or thesaurus
to get their point across...

And some people wonder why the media is having a field day about the
Internet...

Regards,

-- Tom
tom...@aol.com

Rob J. Nauta

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
wi...@rainbow.rmii.com (Will Spencer) writes:

Us...@127.0.0.1 (Computer User) writes:
>IN A FORGED MESSAGE ta...@uunet.uu.net (David C Lawrence) wrote:
>> Anonymous netnews without "anonymous" remailers
>>

>This is terrible! In good ol' times, the ones who could forge at least

>had to figure out what was RFC977, be able to write perl or shell or
>expect scripts (whatever you like) and find an IHAVE-friendly server.
>These people at least were educated enough to understand that they have
>some responsibility. Now you post it to news.newusers.questions with all
>scripts. Guess what will happen. Guess what will happen to news.??.net,
>asshole.

>YOU ARE A FUCKHEAD IRRESPONSIBLE MOTHERFUCKING BASTARD, FORGER!

>Ever wonder who you are flaming???

>David C. Lawrence is the moderator of news.announce.newgroups, the
>ultimate arbiter and auditor of RFD/CFV/Newgroup-Rmgroup procedures on
>mainstream hierarchies, and thus the de-facto czar of mainstream
>Usenet. Basically, in news.*, misc.*, soc.*, talk.*, comp.*, and sci.*,
>he is the one who determines authoritatively what is and what is not a
>valid newsgroup.

And, he isn't the one that posted it. I guess the person using the abusive
language is trying to flame the anonymous user that forged the post, at
least he used the 'IN A FORGED MESSAGE' clause.

Rob
--
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Rob J. Nauta r...@redwood.nl
REDWOOD Business Group B.V. Phone: +31-3404-31310
Princenhof Park 13 Telefax: +31-3404-30477
3972 NG DRIEBERGEN
The Netherlands

firebug

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
In article <will.802830123@rainbow>,
Will Spencer <wi...@rainbow.rmii.com> wrote:
> Us...@127.0.0.1 (Computer User) writes:
> >IN A FORGED MESSAGE ta...@uunet.uu.net (David C Lawrence) wrote:
> >> Anonymous netnews without "anonymous" remailers
> >>
> >YOU ARE A FUCKHEAD IRRESPONSIBLE MOTHERFUCKING BASTARD, FORGER!
>
>Ever wonder who you are flaming???

It seems that he is flaming the person that forged the message. In fact,
that seems *quite*clear*. Maybe before YOU flame someone, you should look at
what they said, instead of taking an opportunity to prove what a smart guy
you are.

>David C. Lawrence is the moderator of news.announce.newgroups, the
>ultimate arbiter and auditor of RFD/CFV/Newgroup-Rmgroup procedures on
>mainstream hierarchies, and thus the de-facto czar of mainstream
>Usenet. Basically, in news.*, misc.*, soc.*, talk.*, comp.*, and sci.*,
>he is the one who determines authoritatively what is and what is not a
>valid newsgroup.

Even if this was who he was flaming, I'd like you to take note of a few
things:
1) tale did not post that.
2) He clearly flamed the forger.
3) Just because tale is an Important Guy doesn't mean one should fear him,
were he to do something stupid like actually post that idiot's guide to
forgery.
4) rec.* and humanities.* also.
5) The people determine what is and what is not a valid newsgroup. A lot of
people trust tale to do that for them. But he has no "authoritative" power.
Like you said, he has de facto power. He can't decide that a group is a bad
idea, or that he doesn't like the outcome of a vote. It's not part of his
job, it's something that would piss people off, it would be quite dishonest.

In short, not one thing you said was accurate or relevant. You're quite the
smart guy, Will.

Scott A. Moore

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
I would not be stunned if the information in the posting was true. Several
of my knowledgable friends have told me this is possible (I have better
things to do, personally).

But are the standards being updated to make this kind of nonsense
impossible (or more difficult) ? Requiring PGP signatures on control
messages would seem like a start....

[sam] (the real one)


Nathan J. Mehl

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
Will Spencer (wi...@rainbow.rmii.com) wrote in article <will.802830123@rainbow>:

: Ever wonder who you are flaming???
:
: David C. Lawrence is the moderator of news.announce.newgroups, the

BWAH HAH HAH HAH HAH HAH HAH!

Let's just say that even if I *didn't* know for a fact that Dave is
happily away on vacation right now, I still wouldn't have believed
for even a fraction of an instant that that post actually came from
him.

I suggest that you think for a second about the liklihood that a post
containing explicit instructions for usenet forgery would be posted
under the author's actual real name.

*sigh* Now all we need is for the bozos at SatelNET to turn those
scripts into a cgi form, and we can all officially give up on this
silly usenet idea.

Yeah, film at 11, I know, I know, I know...

--
-------{Nathan J. Mehl}--------------------{nm...@bbnplanet.com}-------|
| Will sell soul for date with PJ Harvey. Inquire within. |
|If you think I speak for my employer, they'll be happy to correct you.|
|-------------{http://ccat.sas.upenn.edu/nmehl/home.html}---------------

The BOB(c)

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
Scott A. Moore (s...@ccnet.com) spake unto us, saying:

: I would not be stunned if the information in the posting was true. Several


: of my knowledgable friends have told me this is possible (I have better
: things to do, personally).

It does work and is useful for a number of reasons other than forgery.
For instance, you can increase your propogation by submitting an
article to several different sites at the same time.

One should note that most newsservers that accept articles via IHAVE do
keep a log of connections. This means that there is a record of what you
have done. The question is: Will someone look at it?


The BOB(c)
--
Y O U C A N Q U O T E M E O N T H A T Andrew S. Damick
Dave Hayes once did say, "If it's only -your- computer, then I
think you can do what you want." alt.fan.the-bob ishereandnow
Andrew S. Damick Y O U C A N Q U O T E M E O N T H A T

Wednesday

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
In article <3rhijd$9...@taco.cc.ncsu.edu>,

The BOB(c) <asda...@unity.ncsu.edu> wrote:
>Scott A. Moore (s...@ccnet.com) spake unto us, saying:
>
>: I would not be stunned if the information in the posting was true. Several
>: of my knowledgable friends have told me this is possible (I have better
>: things to do, personally).
>
>It does work and is useful for a number of reasons other than forgery.
>For instance, you can increase your propogation by submitting an
>article to several different sites at the same time.

Additionally, it provides a fairly reliable means of anonymous posting
to those unwilling to deal with the severe load problems of anon.penet.fi,
the technical morass of the cypherpunk mailers, and the lag problems
associated with telnettable anonymous servers. I am thinking mainly in
terms of the service this script could provide to members of the abuse-
trauma-related support and recovery newsgroups, especially in the face of
one of our primary anonymous account servers going down and another
suffering frequent technical difficulties. The script will probably be
included in the anonymous posting instructions section of the alt.abuse.
transcendence FAQ when I have a chance to deal with it.

>One should note that most newsservers that accept articles via IHAVE do
>keep a log of connections. This means that there is a record of what you
>have done. The question is: Will someone look at it?

This is, however, the question one must ask of any anonymous posting system.
There is no 100% safe way to mask one's identity in this matter, barring
hacking your point-of-entry account in the first place (at which point one
faces legal questions).

-- -- wedn...@tezcat.com -- http://www.tezcat.com/~wednsday -- --
You are sentimental. You are passionate. You are actually FUN. You are
wistful. You are scarred. You are, in a philosophic sort of way, beautiful.
-- -- -- -- -- -- -- -- -- -- - Andrew S. Damick - --

Lars Marowsky-Bree

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to

-----BEGIN PGP SIGNED MESSAGE-----


I think we should better look into PGP approved control messages _NOW_.

Now, here we have it - a forged troublemaker, no THE forged troublemaker.
Sure, there is little to no news in this for the more intelligent and longer
participants of the Net. But I would expect this to get us a lot of
cancelled messages. Perhaps this has a good side, too, namely showing just
how vulnerable UseNet is to idiots. But I don't think this outweights the
disadvantages, ie every 'Stupid Fuck' (to quote the message id) is now able
to, and WILL, cancel messages, creat groups and rm them.

Now, could someone please do a path comparison to check where this spam came
from?


Lars Marowsky-Bree Voice: +49-571-63663 PGP-key avail. via server
HomePage: http://www.teuto.de/~lmb Mail: l...@pointer.in-minden.de
PGP fingerprint: CF FC 3A F0 86 F1 D3 EB 79 8A CF 75 4F 4C 81 DF
> pleasure and pain - often the same <

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCzAwUBL9yMH+CsMSXatXlBAQEOBATvSsHNBUH/52CFmoK9I+t84JU6j2CmXNG5
fkYa1eGfqjXR1z+cbGqtsnBukT8b2gYhGNeVSGA+wvTPTOMHRGRkLlmaex4NN/i2
GzBI4wKuaPN47Bh+gl8d9Gp5STXB7MssenzKjPDYNbYQ1UZXkw1lE5PiUTj5I/jv
HmhFYSMU1R68oLpMKKFNBkfr8pcq+jRDJb5KDyFZt+5fGFvOMdQ=
=Co/E
-----END PGP SIGNATURE-----

Mahesh Ramachandran

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to

In article <3rerpr$j...@lantana.singnet.com.sg>, mar...@singnet.com.sg (Marina

Chong) writes:
>
> For your info:
>
> tale DID NOT write the original message. The address is *forged*.
>

ummm, i was under the impression that tale had been posting this
every month. wrong? i have been seeing this posting since sometime
last october. mebbe tale is really concerned about the health of
netizens. ;-)

-rr


--

Russ Allbery

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
Mahesh Ramachandran <r...@eel.ufl.edu> writes:
>
>ummm, i was under the impression that tale had been posting this
>every month. wrong?

Wrong, I'm afraid. Someone has been forging it every month. Of course, if
you're going to post a document like this, the obvious thing to do would be
to forge it, and the obvious person to forge would be Tale. I'm sure that
the author couldn't resist.

It would help if Uunet would make it's news server a bit less open. I'm not
sure I understand the reasoning behind their current policy. (Common
carrier status, perhaps?)

--
Russ Allbery (r...@cs.stanford.edu) http://www-leland.stanford.edu/~rra/

Nathan J Mehl

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to
From: nm...@bbnplanet.com (Nathan J. Mehl) Will Spencer (wi...@rainbow.rmii.com) wrote in article <will.802830123@rainbow>: : Ever wonder who you are flaming??? : David C. Lawrence is the moderator of news.announce.newgroups, the BWAH HAH HAH HAH HAH HAH HAH! Let's just say that even if I *didn't* know for a fact that Dave is happily away on vacation right now, I still wouldn't have believed for even a fraction of an instant that that post actually came from him. I suggest that you think for a second about the liklihood that a post containing explicit instructions for usenet forgery would be posted under the author's actual real name. *sigh* Now all we need is for the bozos at SatelNET to turn those scripts into a cgi form, and we can all officially give up on this silly usenet idea. Yeah, film at 11, I know, I know, I know... -------{Nathan J. Mehl}--------------------{nm...@bbnplanet.com}-------| | Will sell soul for date with PJ Harvey. Inquire within. | |If you think I speak for my employer, they'll be happy to correct you.| |-------------{http://ccat.sas.upenn.edu/nmehl/home.html}--------------- --------------------------------------------------- * The Blues Cafe! Dallas, Tx. Home of BigD Online * * Dallas' Best BBS List! (214) 638-1181 8 Lines! * ---------------------------------------------------

Nathan J Mehl

unread,
Jun 12, 1995, 3:00:00 AM6/12/95
to

Stephen Boursy

unread,
Jun 13, 1995, 3:00:00 AM6/13/95
to
In article <DA2pM...@pointer.in-minden.de>,

Lars Marowsky-Bree <l...@pointer.in-minden.de> wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
> I think we should better look into PGP approved control messages _NOW_.
>
>Now, here we have it - a forged troublemaker, no THE forged troublemaker.
>Sure, there is little to no news in this for the more intelligent and longer
>participants of the Net. But I would expect this to get us a lot of
>cancelled messages. Perhaps this has a good side, too, namely showing just
>how vulnerable UseNet is to idiots. But I don't think this outweights the
>disadvantages, ie every 'Stupid Fuck' (to quote the message id) is now able
>to, and WILL, cancel messages, creat groups and rm them.
>


What this demonstrates to me is that a forgery is a forgery. PGP
'approved' control messages won't help--who is to do the approval but a
small body of self appointed power freaks? The truth of the matter is
that while these instructions and the mindset behind them is
reprehensible the same is true of the so-called 'approved' forgeries. No
one has the right to forge a cancel of another message.

I've never noted a coorelation between 'the more intelligent' and
the 'longer participants' on the usenet--quite the contrary in fact. It is
their desire for control that has lead to this type of abuse as they
themselves have long been practicing it.

What this clearly demonstrates is the need for consumer
protection legislation and serious enforcement against forgery and
an end to frontier justice at the hands of a mob which clearly does
not work.


Steve

David Wright

unread,
Jun 13, 1995, 3:00:00 AM6/13/95
to
In article <3rgka0$i...@ccnet.ccnet.com>, Scott A. Moore <s...@ccnet.com> wrote:
#But are the standards being updated to make this kind of nonsense
#impossible (or more difficult) ? Requiring PGP signatures on control
#messages would seem like a start....

This has been discussed recently on the moderators list, and some good
work has been done on it, but I'm not aware of any date for implemenatation.

Bear in mind that using PGP signatures on all control messages would be
impractical until almost all news sites update to a future news version
with support for it (read: never), but the approach could be used to
protect moderated news groups and perhaps to verify newgroup messages.

Regards,
David Wright, speaking as a member of, but not for
group-...@uunet.uu.net, a small advisory list that tale refers
people to for advice on newsgroup naming and votes.
d...@bnr.co.uk <or> d...@bnr.ca

Colin Douthwaite

unread,
Jun 13, 1995, 3:00:00 AM6/13/95
to
Daniel Hartung (dhar...@MCS.COM) wrote:

: Uh, for your benefit, here is the message ID from the


: Better Living thru Forgery "FAQ":
:
: >Message-ID: <StUPi...@uunet.uu.net>

There were actually TWO postings. Did you think one was just a duplicate ?
I thought so at first.

Bye,

Michael Shields

unread,
Jun 13, 1995, 3:00:00 AM6/13/95
to
[Bogus news.admin.policy and alt.current-events.net-abuse elided and
followups redirected.]

In article <3rhijd$9...@taco.cc.ncsu.edu>,
The BOB(c) <asda...@unity.ncsu.edu> wrote:
> It does work and is useful for a number of reasons other than forgery.
> For instance, you can increase your propogation by submitting an
> article to several different sites at the same time.

That's not an argument for a cookbook example of how to use telnet 119!
Increasing propagation is the job of the news servers.
--
Shields.

Zoli Fekete, keeper of hungarian-faq

unread,
Jun 13, 1995, 3:00:00 AM6/13/95
to

But that job is often not done. Protecting from the abuse promoted by
the example is also the job of the server, and obviously uunet failed to
do that. I can't fathom why do they leave posting open (while apparently
disabling the retrieval of article bodies)!
While submitting to several sites is not a good idea, sometimes
connecting to a remote server is a better (or the only) alternative to
posting locally - after all, your site may want to carry the group you
and the remote one both are interested in (and getting another feed just
for the sake of one group may not be practical). And 'telnet nntp' would be
neat for retrieving some articles from UUNET once they're gone from your
own server.

Zoli fek...@bc.edu (note my old full address @bcuxs2 is retired)
"For my assured failures and derelictions, I ask pardon beforehand of my
betters and my equals in my calling." - Rudyard Kipling


Lars Marowsky-Bree

unread,
Jun 13, 1995, 3:00:00 AM6/13/95
to
Colin Douthwaite (Colin_Do...@equinox.gen.nz) wrote:

> : >Message-ID: <StUPi...@uunet.uu.net>
> There were actually TWO postings. Did you think one was just a duplicate ?
> I thought so at first.

Well yes, the second messageid was better. But take a look at the path...

pointer.in-minden.de!minden.in-minden.de!brolga.teuto.de!linteuto.teuto.de
!news.gun.de!news.hamburg.pop.de!nordwest.pop.de!informatik.uni-bremen.de
!cs.tu-berlin.de!zib-berlin.de!news.uni-ulm.de!rz.uni-karlsruhe.de!xlink.net
!howland.reston.ans.net!swrinde!elroy.jpl.nasa.gov!usc!news.cerf.net
!nntp2.cerf.net!bbs.ug.eds.com!ix.netcom.com!news.sesqui.net!nntpx.uu.net!tale

BTW, could somebody on the other side of the world please check this path? I
would like to know the largest common segment to track down the machine this
was posted via.

--

Lars Marowsky-Bree Voice: +49-571-63663 PGP-key avail. via server
HomePage: http://www.teuto.de/~lmb Mail: l...@pointer.in-minden.de

PGP-Id: 0xDAB57941 / CF FC 3A F0 86 F1 D3 EB 79 8A CF 75 4F 4C 81 DF
> So long, and thanks for all the fish! <

Rob J. Nauta

unread,
Jun 15, 1995, 3:00:00 AM6/15/95
to
l...@pointer.in-minden.de (Lars Marowsky-Bree) writes:

>Colin Douthwaite (Colin_Do...@equinox.gen.nz) wrote:

I'm sorry for you German guys, you probably never get news the same day it's
posted ? 12 hops in Germany alone, is that all UUCP or does unido do NNTP
yet ? I heard Germany still doesn't allow 2400 modems and defines 1200 and
300 as the only allowable modems on the phone system, is that right :-)

I see news from UUnet passes through Dave's JPL and Netcom before going
to howland.reston.ans.net and via that to Europe, very interesting...

Rob
--
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Rob J. Nauta r...@redwood.nl

NOTE: my opinions are strictly my own and not those of my employer

Seth Breidbart

unread,
Jun 15, 1995, 3:00:00 AM6/15/95
to
Newsgroups: de-Boursified

In article <3rkt1c...@bhars12c.bnr.co.uk>,


David Wright <d...@bnr.co.uk> wrote:
>In article <3rgka0$i...@ccnet.ccnet.com>, Scott A. Moore <s...@ccnet.com> wrote:
>#But are the standards being updated to make this kind of nonsense
>#impossible (or more difficult) ? Requiring PGP signatures on control
>#messages would seem like a start....
>
>This has been discussed recently on the moderators list, and some good
>work has been done on it, but I'm not aware of any date for implemenatation.
>
>Bear in mind that using PGP signatures on all control messages would be
>impractical until almost all news sites update to a future news version

Why? Those who update could check messages, those who don't could
either only accept messages from sites they trust (who have updated)
or they could accept all messages (as now). Some sites would be
better off, nobody would lose. (And, to the extent it makes forgery
less effective, it might reduce the amount of forgery as well.)

>with support for it (read: never), but the approach could be used to
>protect moderated news groups and perhaps to verify newgroup messages.

Nope; even a small partial implementation would do some good.

Seth

Michael Shields

unread,
Jun 15, 1995, 3:00:00 AM6/15/95
to
In article <DA4xv...@pointer.in-minden.de>,

Lars Marowsky-Bree <l...@pointer.in-minden.de> wrote:
> Well yes, the second messageid was better. But take a look at the path...
>
> BTW, could somebody on the other side of the world please check this path? I
> would like to know the largest common segment to track down the machine this
> was posted via.

From a site actually conncted to uunet:

Path: tembel!uunet!europa.chnt.gtegsc.com!news.mathworks.com!
newshost.marcam.com!usc!howland.reston.ans.net!pipex!warwick!
news.dcs.warwick.ac.uk!hgmp.mrc.ac.uk!sunsite.doc.ic.ac.uk!susx.ac.uk!
news.bton.ac.uk!agate!ix.netcom.com!news.sesqui.net!nntp1.uu.net!tale

Compare to a true Path: from tale:

Path: tembel!uunet!tale
--
Shields.

Michael Shields

unread,
Jun 15, 1995, 3:00:00 AM6/15/95
to
From: shi...@tembel.org (Michael Shields) In article <DA4xv...@pointer.in-minden.de>, Lars Marowsky-Bree <l...@pointer.in-minden.de> wrote: > Well yes, the second messageid was better. But take a look at the path... > pointer.in-minden.de!minden.in-minden.de!brolga.teuto.de!linteuto.teuto.de > !news.gun.de!news.hamburg.pop.de!nordwest.pop.de!informatik.uni-bremen.de > !cs.tu-berlin.de!zib-berlin.de!news.uni-ulm.de!rz.uni-karlsruhe.de!xlink.net > !howland.reston.ans.net!swrinde!elroy.jpl.nasa.gov!usc!news.cerf.net > !nntp2.cerf.net!bbs.ug.eds.com!ix.netcom.com!news.sesqui.net!nntpx.uu.net!tal > BTW, could somebody on the other side of the world please check this path? I > would like to know the largest common segment to track down the machine this > was posted via. From a site actually conncted to uunet: Path: tembel!uunet!europa.chnt.gtegsc.com!news.mathworks.com! newshost.marcam.com!usc!howland.reston.ans.net!pipex!warwick! news.dcs.warwick.ac.uk!hgmp.mrc.ac.uk!sunsite.doc.ic.ac.uk!susx.ac.uk! news.bton.ac.uk!agate!ix.netcom.com!news.sesqui.net!nntp1.uu.net!tale Compare to a true Path: from tale: Path: tembel!uunet!tale Shields. --------------------------------------------------- * The Blues Cafe! Dallas, Tx. Home of BigD Online * * Dallas' Best BBS List! (214) 638-1181 8 Lines! * ---------------------------------------------------

Michael Shields

unread,
Jun 15, 1995, 3:00:00 AM6/15/95
to

Alex Hayward

unread,
Jun 17, 1995, 3:00:00 AM6/17/95
to
In article <DA4xv...@pointer.in-minden.de> l...@pointer.in-minden.de (Lars Marowsky-Bree) wrote:

> Colin Douthwaite (Colin_Do...@equinox.gen.nz) wrote:
>
> > : >Message-ID: <StUPi...@uunet.uu.net>
> > There were actually TWO postings. Did you think one was just a duplicate ?
> > I thought so at first.
>

> !nntp2.cerf.net!bbs.ug.eds.com!ix.netcom.com!news.sesqui.net!nntpx.uu.net!tale


>
> BTW, could somebody on the other side of the world please check this path? I
> would like to know the largest common segment to track down the machine this
> was posted via.
>

I'm not exactly on the other side of the world, but in both copies the path I
got is the same up to ix.netcom.com. Strangely (?) enough, the paths of the
two messages are the same up to that point as well...

Path:u-net.com!uknet!uel!news.provo.novell.com!nntp.et.byu.edu!
netline-fddi.jpl.nasa.gov!elroy.jpl.nasa.gov!swrinde!pipex!warwick!
news.dcs.warwick.ac.uk!hgmp.mrc.ac.uk!sunsite.doc.ic.ac.uk!susx.ac.uk!
news.bton.ac.uk!agate!ix.netcom.com!news.sesqui.net!nntp1.uu.net!tale

for Message-ID: <StUPi...@uunet.uu.net>

and

Path:
hayward.u-net.com!u-net.com!uknet!uel!news.provo.novell.com!nntp.et.byu.edu!
gatech!howland.reston.ans.net!lamarck.sura.net!guvax.acc.georgetown.edu!
ix.netcom.com!news.sesqui.net!nntpx.uu.net!tale

for Message-ID: <nTTz0....@uunet.uu.net>

--
al...@hayward.u-net.com

Kenneth Almquist

unread,
Jun 23, 1995, 3:00:00 AM6/23/95
to
bou...@world.std.com (Stephen Boursy) writes:
> What this demonstrates to me is that a forgery is a forgery. PGP
> 'approved' control messages won't help--who is to do the approval but a
> small body of self appointed power freaks?

Cancel messages can be approved by the person who wrote the message being
cancelled. To implement this, include the public key of the originator
of each message in the message header. Require the cancel of a message
to be signed by the person who originated the message.

This can be made backward compatible. Make the public key is optional; if
it is omitted then the signature on the cancel message is optional. Place
the signature in the message header rather than the body.

The main difficulties are legal: RSA is patented and cannot be legally
exported from the United States.
Kenneth Almquist

Stephen Boursy

unread,
Jun 25, 1995, 3:00:00 AM6/25/95
to
In article <DAnFM...@nntpa.cb.att.com>,

Kenneth Almquist <k...@socrates.hr.att.com> wrote:
>bou...@world.std.com (Stephen Boursy) writes:
>>
>> What this demonstrates to me is that a forgery is a forgery. PGP
>> 'approved' control messages won't help--who is to do the approval but a
>> small body of self appointed power freaks?
>
>Cancel messages can be approved by the person who wrote the message being
>cancelled. To implement this, include the public key of the originator
>of each message in the message header. Require the cancel of a message
>to be signed by the person who originated the message.
>


That sounds very good--in would help end forgery and ensure
those issuing cancels are only doing so on their own posts.


Steve

Seth Breidbart

unread,
Jun 25, 1995, 3:00:00 AM6/25/95
to
Newsgroups: partially de-boursified

In article <DA41A...@world.std.com>,
Stephen Boursy <bou...@world.std.com> wrote:

> What this demonstrates to me is that a forgery is a forgery. PGP
>'approved' control messages won't help--who is to do the approval but a
>small body of self appointed power freaks?

How little you understand. PGP will _prevent_ anybody from creating a
believable forgery.

> The truth of the matter is
>that while these instructions and the mindset behind them is
>reprehensible the same is true of the so-called 'approved' forgeries. No
>one has the right to forge a cancel of another message.

And nobody will. Under the new scheme, there will be signed messages
that say "I believe message <id> should be deleted". Those messages
will be signed by the person posting them. Hence, there will be no
forgery involved.

> I've never noted a coorelation between 'the more intelligent' and

Nobody here believe that you would recognize intelligence if it ran
screaming from you (which is quite likely, come to think of it).

> What this clearly demonstrates is the need for consumer
>protection legislation and serious enforcement against

adding bunches of Newsgroups: to the header

> forgery and

In case you haven't noticed, government banning doesn't prevent
something from happening.

Seth

Seth Breidbart

unread,
Jun 25, 1995, 3:00:00 AM6/25/95
to
In article <3skuhb$1...@mark.ucdavis.edu>,
Albert Yang <sza...@rocky.ucdavis.edu> wrote:
>Seth Breidbart (se...@panix.com) wrote:

>: How little you understand. PGP will _prevent_ anybody from creating a
>: believable forgery.
>
>Since most of the PGP keys I've picked up off the MIT key server aren't
>signed by anybody (or only by themselves), what's to prevent somebody
>from creating a key for, say, Bill Clinton, signing it with that bogus
>key and a bogus Al Gore key, and then posting with a forged header?

Nothing. But nobody is going to cancel a message because "Bill
Clinton" said to, either, so I don't care.

(In any event, I'd expect their keys to be available from a
whitehouse.gov keyserver.)

Seth

Albert Yang

unread,
Jun 26, 1995, 3:00:00 AM6/26/95
to
Seth Breidbart (se...@panix.com) wrote:
: Newsgroups: partially de-boursified

: In article <DA41A...@world.std.com>,
: Stephen Boursy <bou...@world.std.com> wrote:

: > What this demonstrates to me is that a forgery is a forgery. PGP
: >'approved' control messages won't help--who is to do the approval but a
: >small body of self appointed power freaks?

: How little you understand. PGP will _prevent_ anybody from creating a
: believable forgery.

Since most of the PGP keys I've picked up off the MIT key server aren't
signed by anybody (or only by themselves), what's to prevent somebody
from creating a key for, say, Bill Clinton, signing it with that bogus
key and a bogus Al Gore key, and then posting with a forged header?


--
Albert Yang | Q. What do you call an eigenvalue computed on
Internet: apy...@ucdavis.edu | the Pentium? A. An eigenerror.
-----------------------------------------------------------------------------
finger -l sza...@rocky.ucdavis.edu for PGP public key block

Russ Allbery

unread,
Jun 26, 1995, 3:00:00 AM6/26/95
to
In news.admin.misc, Seth Breidbart <se...@panix.com> writes:
>
>Newsgroups: partially de-boursified

Newsgroups completely trimmed, with the possible exception of
comp.admin.policy (not sure if it's appropriate or not).

>How little you understand. PGP will _prevent_ anybody from creating a
>believable forgery.

Not until you solve the key management problem. Yes, it gives the news
server a possible way of establishing exactly who sent the control message,
but it's a lot more complex than it appears.

First, key checking is not a trivial operation, even when the public key is
available to do it. It isn't exactly *slow*, but doing it for every cancel
message is a serious processor drain.

The more serious problem is with key management -- in order to test the
validity of a control message, you need the person's public key. How do you
get that reasonably quickly? Not everyone uses the same keyserver, or makes
their key available in the same way. A key can also be easily created and
put on a keyserver under a false name. What about newbies cancelling
for-sale posts they posted; they now have to get PGP to do it? PGP doesn't
ship standard with Unix, and it isn't even available for many platforms that
can run news.

There are two standard ways to solve the key distribution problem: an
authoritative server and the web of trust. Having a central server that
authenticates keys goes against the entire spirit of Usenet, and how to you
propose to manage a web of trust so that a server in Mexico can know whether
a key originating in Norway is valid?

There are a *lot* of unsolved problems with switching to a PGP-based cancel
system. Now having individual spam-cancellers sign their cancel messages is
a far different idea than replacing the current cancel system, and in fact
would probably work. I gather NoCem is planning on starting a new control
message of some kind for this? (I should go research it a bit more.)

C. James Murphy

unread,
Jun 26, 1995, 3:00:00 AM6/26/95
to

Somebody wrote:

>>The main difficulties are legal: RSA is patented and cannot be legally
>>exported from the United States.
>> Kenneth Almquist
>
>

You can get PGP if you look around. I got it from somewhere in Norway,
but you can try :

ftp: sable.ox.ac.uk
dir: /pub/crypto/pgp/pc/

You don't have any problems with the stupid USA export nonsense
because it's already out! Though the authorities are prosecuting the
fellow who wrote the program (PGP). They can't stand the idea that
people might be able to communicate without the government being able
to eavesdrop at their leisure. If you're interested, you might drop into
alt.security.pgp and lurke for a while. It's really interesting.

Jim Murphy

Oh, another neat trick, just to piss of the NSA and CIA eavesdropping
machines, which are supposedly filtering the postings and mail of
people the world over for certain word combinations, is to include
various words somewhere in your post. Something like: assasination,
bomb, nitrates, cocaine, kilos, feds, Kennedy, Clinton, etc.
There's a good chance some weenie will be reading this now, because a
computer flagged this posting. Go grab a donut pal.

John Stanley

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
In article <3sktbu$a...@panix3.panix.com>,

Seth Breidbart <se...@panix.com> wrote:
>How little you understand. PGP will _prevent_ anybody from creating a
>believable forgery.

You assume too much.

PGP will only prevent forgeries (believable or otherwise) if everyone in
the world uses it for everything they distribute electronically.

Two examples where PGP doesn't do squat:

1. Someone forges something with my name on it with no PGP signature.
You can run your PGP forgery detector over it a million times and you
won't detect, or have prevented, the forgery.

2. Someone forges a PGP key for me and sends it to a key distribution
center. Then they forge an article and sign it with my forged key. Your
PGP forgery detector says "not a forgery".


John Stanley

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
In article <3squtg$c...@globe.indirect.com>,
Jason and Heather <stei...@indirect.com> wrote:

>John Stanley (sta...@skyking.OCE.ORST.EDU) wrote:
>> Two examples where PGP doesn't do squat:
>amazing how PGP doesn't work if you don't use it.

No, amazing how PGP doesn't work if either one of the parties doesn't
use it.

>> 2. Someone forges a PGP key for me and sends it to a key
>> distribution center. Then they forge an article and sign it with my
>> forged key. Your PGP forgery detector says "not a forgery".
>

>not if the person who wrote it knows anything about public key
>crypto it doesn't.

Well, let's assume that the person who wrote PGP knows "anything" about
public key crypto. That means that you think that running PGP on a
forged, signed article, using the forged public key that matches the
forged private key the article was signed with, will report that the
article is a forgery. Can you explain why this won't happen, given that
the author of PGP himself mentions this as a problem?


Steve Gilham

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
C. James Murphy (mur...@cadvision.com) wrote:

> Somebody wrote:

> >>The main difficulties are legal: RSA is patented and cannot be legally
> >>exported from the United States.
> >> Kenneth Almquist
> >
> >

> You can get PGP if you look around. I got it from somewhere in Norway,
> but you can try :

> ftp: sable.ox.ac.uk
> dir: /pub/crypto/pgp/pc/

> You don't have any problems with the stupid USA export nonsense
> because it's already out! Though the authorities are prosecuting the

Not only that, but the patents, being post-publication, aren't valid
outside the US either. However some countries (e.g. France) have made
use of strong crypto like PGP - even just for digital signatures -
illegal.

> Oh, another neat trick, just to piss of the NSA and CIA eavesdropping
> machines, which are supposedly filtering the postings and mail of
> people the world over for certain word combinations, is to include
> various words somewhere in your post. Something like: assasination,
> bomb, nitrates, cocaine, kilos, feds, Kennedy, Clinton, etc.
> There's a good chance some weenie will be reading this now, because a
> computer flagged this posting. Go grab a donut pal.

If you use emacs as an editing package, you can save effort by just
going Meta-x spook to get a randomly selected bunch of keywords like


Rule Psix radar bomb Honduras $400 million in gold bullion Peking
Noriega BATF Nazi FSF kibo genetic supercomputer fissionable spy


--
-- st...@windsong.demon.co.uk (home) ---- PGP keys available on keyservers --
Steve Gilham |GDS Ltd.,Wellington Ho. |Lives of great men all remind us
Software Specialist|East Road, Cambridge |We may make our lives sublime
steveg@ |CB1 1BH, UK |And departing, leave behind us
uk.gdscorp.com |Tel:(44)1223-300111x2904|Footprints in the sands of time.
Key fingerprint = 08 8A 67 70 6E 86 09 B4 38 0A BD C4 53 1C 88 99


Michael Cramer

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
John Stanley (sta...@skyking.oce.orst.edu) wrote:
: >> 2. Someone forges a PGP key for me and sends it to a key
: >> distribution center. Then they forge an article and sign it with my
: >> forged key. Your PGP forgery detector says "not a forgery".
: >
: >not if the person who wrote it knows anything about public key
: >crypto it doesn't.

: article is a forgery. Can you explain why this won't happen, given that


: the author of PGP himself mentions this as a problem?

You are forgetting one of the basic -- and crucial -- aspects of using PGP
effectively. If you don't have PROOF that a key is valid, then the only
information you can get from a PGP signature is the validity of the signature.
Just because the signature is valid does not mean the key is valid. There are
only two ways to tell whether a key is valid: 1) It is signed by someone you
trust not to sign fake keys. 2) You get it personally from the owner. A key
can be on every keyserver and signed by three hundred other keys, and you
still can't prove a thing about its owner unless you trust one or more of the
signatures.

--
Mike Cramer

Jason and Heather

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
John Stanley (sta...@skyking.OCE.ORST.EDU) wrote:
> Seth Breidbart <se...@panix.com> wrote:
> >
> >How little you understand. PGP will _prevent_ anybody from
> >creating a believable forgery.

> You assume too much.

> PGP will only prevent forgeries (believable or otherwise) if
> everyone in the world uses it for everything they distribute
> electronically.

> Two examples where PGP doesn't do squat:

> 1. Someone forges something with my name on it with no PGP

> signature. You can run your PGP forgery detector over it a million
> times and you won't detect, or have prevented, the forgery.

amazing how PGP doesn't work if you don't use it.

> 2. Someone forges a PGP key for me and sends it to a key

> distribution center. Then they forge an article and sign it with my
> forged key. Your PGP forgery detector says "not a forgery".

not if the person who wrote it knows anything about public key
crypto it doesn't.

jason

--
Lord, grant me the serenity to accept the things I cannot change, the
courage to change the things I can, and the wisdom to hide the bodies
of those people I had to kill because they pissed me off.
`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,` stei...@indirect.com `,`,`,`

Mike Schenk

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
Arnoud "Galactus" Engelfriet <gala...@stack.urc.tue.nl> writes in news.admin.policy,comp.admin.policy,comp.security.misc,misc.legal.computing,news.admin.misc,alt.activism,alt.censorship,alt.comp.acad-freedom.talk,alt.fan.speedbump,news.admin.net-abuse.misc:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>In article <3sq69f$g...@gaia.ucs.orst.edu>,

>sta...@skyking.OCE.ORST.EDU (John Stanley) wrote:
>> Two examples where PGP doesn't do squat:
>>
>> 1. Someone forges something with my name on it with no PGP signature.
>> You can run your PGP forgery detector over it a million times and you
>> won't detect, or have prevented, the forgery.
>
>Unless of course you state in public that anything _without_ a valid
>signature *is* a forgery.

But why would anyone believe you?

Mike

Arnoud Galactus Engelfriet

unread,
Jun 28, 1995, 3:00:00 AM6/28/95
to
-----BEGIN PGP SIGNED MESSAGE-----

In article <3sq69f$g...@gaia.ucs.orst.edu>,
sta...@skyking.OCE.ORST.EDU (John Stanley) wrote:
> Two examples where PGP doesn't do squat:
>
> 1. Someone forges something with my name on it with no PGP signature.
> You can run your PGP forgery detector over it a million times and you
> won't detect, or have prevented, the forgery.

Unless of course you state in public that anything _without_ a valid
signature *is* a forgery.

> 2. Someone forges a PGP key for me and sends it to a key distribution


> center. Then they forge an article and sign it with my forged key. Your
> PGP forgery detector says "not a forgery".

Why should anyone believe a key is mine just because my name is on it?

Galactus

****** To find out more about PGP, send mail with subject HELP PGP to me ******
[Press spacebar for signatures or 'n' for next article]

- --
****** To find out more about PGP, send mail with subject HELP PGP to me ******
E-mail: gala...@stack.urc.tue.nl - PGP encrypted please - Mail for info < >
Keyprint: DD FC 6F 05 C5 1C 86 B2 E7 3B 6A BD 06 CF E8 4E - ID 416A1A35 > <
"I'm the best there is at what I do. Though what I do isn't very nice!" ||


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAgUBL/GBjTyeOyxBaho1AQGlQQP/ZQppjC3GMUttpa3O4n+i+/eLjwFrqL5A
qv+CdQS9obj0AcLMAutW8r18j5dvHimHtkZK5DUY13N8VyyuSpDDRTX5WfYUPKhp
v3zXhl1YwURz+GiAOOswTzfl76DwkYGe82jCJxRYBQlHWxSbp0Rpx6+B3WGyslg1
PcSTh0s1ogA=
=/uKZ
-----END PGP SIGNATURE-----

Stephen Boursy

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
In article <80436426...@oce.orst.edu>,

John Stanley <sta...@skyking.oce.orst.edu> wrote:
>In article <3squtg$c...@globe.indirect.com>,
>Jason and Heather <stei...@indirect.com> wrote:
>>
>>
>>amazing how PGP doesn't work if you don't use it.
>
>No, amazing how PGP doesn't work if either one of the parties doesn't
>use it.
>


For additional security my PGP .sig is in invisable ink. It's
not perfect but it helps.


Steve


Dom De Vitto

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
Michael Cramer (cra...@farallon.geosc.psu.edu) wrote:
> John Stanley (sta...@skyking.oce.orst.edu) wrote:
> : >> 2. Someone forges a PGP key for me and sends it to a key
> : >> distribution center. Then they forge an article and sign it with my
> : >> forged key. Your PGP forgery detector says "not a forgery".
> : >
> : >not if the person who wrote it knows anything about public key
> : >crypto it doesn't.

> : article is a forgery. Can you explain why this won't happen, given that


> : the author of PGP himself mentions this as a problem?

> You are forgetting one of the basic -- and crucial -- aspects of using PGP
> effectively. If you don't have PROOF that a key is valid, then the only
> information you can get from a PGP signature is the validity of the signature.
> Just because the signature is valid does not mean the key is valid. There are
> only two ways to tell whether a key is valid: 1) It is signed by someone you
> trust not to sign fake keys. 2) You get it personally from the owner. A key
> can be on every keyserver and signed by three hundred other keys, and you
> still can't prove a thing about its owner unless you trust one or more of the
> signatures.

That is exactly the point, and makes PGP brilliant and crap.

Dom

Michael Cramer

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
Dom De Vitto (dev...@london.sinet.slb.com) wrote:
: That is exactly the point, and makes PGP brilliant and crap.

But when used properly, effective crap. While internet based email and posting
is at best untrustworthy and insecure -- when used properly.

--
Mike Cramer

John Stanley

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
In article <3ss9vl$6...@wegener.ems.psu.edu>,

Michael Cramer <MikeC...@psu.edu> wrote:
>John Stanley (sta...@skyking.oce.orst.edu) wrote:
>: >> 2. Someone forges a PGP key for me and sends it to a key
>: >> distribution center. Then they forge an article and sign it with my
>: >> forged key. Your PGP forgery detector says "not a forgery".
>: >
>: >not if the person who wrote it knows anything about public key
>: >crypto it doesn't.
>
>: article is a forgery. Can you explain why this won't happen, given that
>: the author of PGP himself mentions this as a problem?
>
>You are forgetting one of the basic -- and crucial -- aspects of using PGP
>effectively.

Come one people. Figure it out.

No, I am not the one who is forgetting the problem of key
authenticity. If you look at the example, which demonstrates that
problem perfectly, you might note that _I_ was the one who provided
that example. Count the ">"s. I am perfectly aware of the problem of
authenticating keys, and that keys can be created on behalf of other
people, and that this tiny detail is what makes PGP fail at being a
forgery detector.

>If you don't have PROOF that a key is valid, then the only
>information you can get from a PGP signature is the validity of the signature.

Well, that depends on what you mean by "valid". If you mean, as the
person who claimed that using PGP prevented forgeries did, that "valid"
means "from the person who it claims to be from", then you are wrong.

The only meaning of "valid" that makes your claim true is "matches the
public key". "Matches the public key" is not proof that the article
signed by the private key is not a forgery. Since it was claimed that
PGP would prevent forgeries, and this simple example shows that it will
not, I think I made my point.


John Stanley

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
In article <t8W8v4uY...@stack.urc.tue.nl>,
Arnoud "Galactus" Engelfriet <gala...@stack.urc.tue.nl> wrote:

Why is it so hard for PGP fans to accept what PGP does not do?

>In article <3sq69f$g...@gaia.ucs.orst.edu>,
>sta...@skyking.OCE.ORST.EDU (John Stanley) wrote:
>> Two examples where PGP doesn't do squat:
>>
>> 1. Someone forges something with my name on it with no PGP signature.
>> You can run your PGP forgery detector over it a million times and you
>> won't detect, or have prevented, the forgery.
>
>Unless of course you state in public that anything _without_ a valid
>signature *is* a forgery.

PGP will have neither prevented nor detected a forgery of the type I
mentioned. In other words, PGP didn't do squat. You might believe the
article is a forgery based on information other than from PGP, but PGP
didn't tell you the article was forged. At best, it will tell you
"unsigned".

And if your "proof" that something is a forgery is someone saying it
is, then you must be buddies with John Palmer.

>> 2. Someone forges a PGP key for me and sends it to a key distribution
>> center. Then they forge an article and sign it with my forged key. Your
>> PGP forgery detector says "not a forgery".
>

>Why should anyone believe a key is mine just because my name is on it?

Uhhhh, because they got it from a recognized keyserver?

But it doesn't matter if they believe the key is yours. PGP will say
that the keys match, and thus, according to PGP, the article is not a
forgery. In other words, PGP didn't do squat to prevent or detect the
forgery. YOU have to understand that the key you got might be bogus, and
YOU have to put your own level of trust in the key. In short, YOU
have to decide to believe PGP or not, even when PGP is saying "not a
forgery".

So, two cases in which PGP doesn't do squat to prevent or detect
forgeries. Just like I said.

Now, you seem to think that my saying that anything without a signature
is a forgery would allow people to detect forgeries in my name. Not
"allow PGP", since PGP can't possibly know what I said. I will assume,
of course, that you wouldn't accept such a statement without it being
signed, for if you did you would be stuck in a paradox. I didn't sign
it, so it must be a forgery because it says unsigned things from me are
forgeries. But, if it is a forgery, then the statement is untrue, and
the article could be real. But if it's real, then it it's a forgery...

Ok, let's try this: someone forges a public/private key in my name. They
send the public key off to a keyserver. They post an article that says
"From this point on, anything I post will be signed. Anything not signed
is a forgery."

Not only will PGP tell you that the article is real (the keys match!),
you will now think that real articles are forgeries. You are 180 degrees
out of phase with reality. How convenient.


Michael Cramer

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
John Stanley (sta...@skyking.oce.orst.edu) wrote:

: >Why should anyone believe a key is mine just because my name is on it?

: Uhhhh, because they got it from a recognized keyserver?

Because a key is on a keyserver is not proof it belongs to the person it
appears to belong to. Anyone who trusts a key just because it was on a
keyserver should not be using PGP.

: But it doesn't matter if they believe the key is yours. PGP will say


: that the keys match, and thus, according to PGP, the article is not a
: forgery. In other words, PGP didn't do squat to prevent or detect the

No. PGP will say:

Good signature from user "Blah Blah Blah <bl...@blah.blah>".
Signature made 1995/06/29 21:06 GMT

WARNING: Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "Blah Blah Blah <bl...@blah.blah>".


If you believe an uncertified key, that's your own damn fault.

: YOU have to put your own level of trust in the key. In short, YOU

Exactly.

: have to decide to believe PGP or not, even when PGP is saying "not a
: forgery".

PGP does not say anything about forgery. It only knows keys.

: So, two cases in which PGP doesn't do squat to prevent or detect


: forgeries. Just like I said.

PGP can't detect anything if you don't give it enough information to work
with. If someone came up to me on the street and handed me a million Indian
Rupees, I wouldn't be able to tell if they were forgeries or not. I don't have
enough information to make that sort of judgement. Same with PGP. No one
(with any knowledge of how PGP works) claims it is a solution in itself, only
that it is a tool which, when used properly, can be PART of a solution.

: Now, you seem to think that my saying that anything without a signature


: is a forgery would allow people to detect forgeries in my name. Not
: "allow PGP", since PGP can't possibly know what I said. I will assume,
: of course, that you wouldn't accept such a statement without it being
: signed, for if you did you would be stuck in a paradox. I didn't sign
: it, so it must be a forgery because it says unsigned things from me are
: forgeries. But, if it is a forgery, then the statement is untrue, and
: the article could be real. But if it's real, then it it's a forgery...

That's why anyone who wants to use PGP effectively makes sure they get their
keys (or at least the key's fingerprint) from the owners directly -- face to
face. You have to step out of the loop at least once before you can trust a
key.

: Ok, let's try this: someone forges a public/private key in my name. They


: send the public key off to a keyserver. They post an article that says
: "From this point on, anything I post will be signed. Anything not signed
: is a forgery."
: Not only will PGP tell you that the article is real (the keys match!),
: you will now think that real articles are forgeries. You are 180 degrees
: out of phase with reality. How convenient.

No, because 1) I don't trust unsigned posts. 2) I don't trust posts which are
signed with keys I don't trust. Therefore, I would ignore the entire scenerio
you just mentioned.

--
Mike Cramer

Seth Breidbart

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
In article <80445862...@oce.orst.edu>,
John Stanley <sta...@skyking.oce.orst.edu> wrote:

>But it doesn't matter if they believe the key is yours. PGP will say
>that the keys match, and thus, according to PGP, the article is not a
>forgery. In other words, PGP didn't do squat to prevent or detect the

>forgery. YOU have to understand that the key you got might be bogus, and

>YOU have to put your own level of trust in the key. In short, YOU

>have to decide to believe PGP or not, even when PGP is saying "not a
>forgery".

PGP will tell me that the person who signed _this_ message is the
_same_ person who signed all the previous messages with the same name.
I don't know who "John Stanley <sta...@skyking.oce.orst.edu>" is, but
I know that someone who posts under that name has earned some
credibility by posting correct things. As things stand now, there's
no way for me to tell if an article that appears under that name was
posted by the same person who earned that credibility. With PGP, I
could so determine. It might well be that the person posting under
that name is _really_ named Michael Valentine Smith, but so what?

In short, PGP tells me that "The person who signed _this_ article is
the same person who signed _those other_ articles."

Seth

Russ Allbery

unread,
Jun 29, 1995, 3:00:00 AM6/29/95
to
[ Newsgroups line annihilated in massive explosion. Police are attempting
to locate the antimatter group. Film at 11. ]

In news.admin.misc, Michael Cramer <MikeC...@psu.edu> writes:
>
>You are forgetting one of the basic -- and crucial -- aspects of using PGP

>effectively. If you don't have PROOF that a key is valid, then the only


>information you can get from a PGP signature is the validity of the signature.

>Just because the signature is valid does not mean the key is valid. There are
>only two ways to tell whether a key is valid: 1) It is signed by someone you
>trust not to sign fake keys. 2) You get it personally from the owner. A key
>can be on every keyserver and signed by three hundred other keys, and you
>still can't prove a thing about its owner unless you trust one or more of the
>signatures.

Exactly. Now since the news servers don't know any poster from Adam, and
therefore cannot verify their keys, how does adding PGP to news servers help
at all?

Arnoud Galactus Engelfriet

unread,
Jun 30, 1995, 3:00:00 AM6/30/95
to
-----BEGIN PGP SIGNED MESSAGE-----

In article <80445862...@oce.orst.edu>,


sta...@skyking.oce.orst.edu (John Stanley) wrote:
> In article <t8W8v4uY...@stack.urc.tue.nl>,
> Arnoud "Galactus" Engelfriet <gala...@stack.urc.tue.nl> wrote:
>
> Why is it so hard for PGP fans to accept what PGP does not do?

I'm just pointing out some inaccuraccies I saw about PGP.

> >Unless of course you state in public that anything _without_ a valid
> >signature *is* a forgery.
>
> PGP will have neither prevented nor detected a forgery of the type I
> mentioned. In other words, PGP didn't do squat. You might believe the
> article is a forgery based on information other than from PGP, but PGP
> didn't tell you the article was forged. At best, it will tell you
> "unsigned".

Yes, but PGP can tell you that the signature is invalid, or that there
is no signature on the message. Using that information, you can decide
that it's a forgery.

> And if your "proof" that something is a forgery is someone saying it
> is, then you must be buddies with John Palmer.

No, I mean that if you see an article claiming to be from _me_ without
a valid signature from _my_ secret key, then that article is a forgery.

> >Why should anyone believe a key is mine just because my name is on it?
>
> Uhhhh, because they got it from a recognized keyserver?

A keyserver does not guarantee the key is from the person whose name is
on it.

> But it doesn't matter if they believe the key is yours. PGP will say
> that the keys match, and thus, according to PGP, the article is not a
> forgery. In other words, PGP didn't do squat to prevent or detect the
> forgery. YOU have to understand that the key you got might be bogus, and
> YOU have to put your own level of trust in the key. In short, YOU
> have to decide to believe PGP or not, even when PGP is saying "not a
> forgery".

The problem lies with _key distribution_ not with PGP per se. If you
could only obtain PGP keys by visiting the owner of the key in person,
then PGP would work perfectly.

> Now, you seem to think that my saying that anything without a signature
> is a forgery would allow people to detect forgeries in my name. Not
> "allow PGP", since PGP can't possibly know what I said. I will assume,
> of course, that you wouldn't accept such a statement without it being
> signed, for if you did you would be stuck in a paradox. I didn't sign
> it, so it must be a forgery because it says unsigned things from me are
> forgeries. But, if it is a forgery, then the statement is untrue, and
> the article could be real. But if it's real, then it it's a forgery...

That's where my headaches usually begin. :-)
I always sign articles I post, so you would at least raise an eyebrow
if you saw an article with "From: gala...@stack.urc.tue.nl" without
the -----BEGIN PGP SIGNED MESSAGE----- at the top of the body. In theory,
you should assume that this hypothetical articles is a forgery, because
I didn't sign it.

> Ok, let's try this: someone forges a public/private key in my name. They
> send the public key off to a keyserver. They post an article that says
> "From this point on, anything I post will be signed. Anything not signed
> is a forgery."
>
> Not only will PGP tell you that the article is real (the keys match!),
> you will now think that real articles are forgeries. You are 180 degrees
> out of phase with reality. How convenient.

Interesting problem. Of course, I'll now say that you shouldn't trust
signatures when you don't have a validated key, so your example doesn't
work. In this case, I doubt that you have a validated key from me, so
the signature below this message doesn't tell you anything about this
message.

Galactus
I'd appreciate a Cc to followups, since I won't be reading news during
the next week.

****** To find out more about PGP, send mail with subject HELP PGP to me ******
[Press spacebar for signatures or 'n' for next article]

- --
****** To find out more about PGP, send mail with subject HELP PGP to me ******
E-mail: gala...@stack.urc.tue.nl - PGP encrypted please - Mail for info < >
Keyprint: DD FC 6F 05 C5 1C 86 B2 E7 3B 6A BD 06 CF E8 4E - ID 416A1A35 > <
"I'm the best there is at what I do. Though what I do isn't very nice!" ||


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAgUBL/P/KjyeOyxBaho1AQFKBAQAlsPQwzwAbDiV03G0ZmHKqtgezSLhEh/F
izP9i8v43k2iZpUXcvBXw9xO0Vew2UUrBjzmQ9mBFNUb+1O9Oj9ebhPY46nRtUaW
5IA+hFBGp6+MqLb0J5Qo9Qgb0viYYS0fBgNTDdJ1SiRzPlArl7nhhMFC+SpiEOeN
zE3E/aDvieU=
=VVXC
-----END PGP SIGNATURE-----

John Stanley

unread,
Jun 30, 1995, 3:00:00 AM6/30/95
to
In article <3sv634$c...@wegener.ems.psu.edu>,

Michael Cramer <MikeC...@psu.edu> wrote:
>John Stanley (sta...@skyking.oce.orst.edu) wrote:
>
>: >Why should anyone believe a key is mine just because my name is on it?

>
>: Uhhhh, because they got it from a recognized keyserver?
>
>Because a key is on a keyserver is not proof

You didn't ask why it would prove it was yours, you asked why they
would believe it was yours. People believe a lot of things when they
are told them by something that looks like an official source. People
keep talking about USENET as if it were just a part of the Internet,
because their ISP hyped it that way in their advertising. People keep
calling USENET newsgroups "bulletin boards". Many of them are going to
look at a key they get from a keyserver with an expectation that it is
valid, just like they accept the From: address in email because the
computer is telling it to them.

>appears to belong to. Anyone who trusts a key just because it was on a
>keyserver should not be using PGP.

There will be a lot of people that you don't want using PGP, then,
because they will use it. How do you intend on stopping them?

>: So, two cases in which PGP doesn't do squat to prevent or detect
>: forgeries. Just like I said.
>
>PGP can't detect anything if you don't give it enough information to work
>with.

Hey! Really?

>That's why anyone who wants to use PGP effectively makes sure they get their
>keys (or at least the key's fingerprint) from the owners directly -- face to
>face. You have to step out of the loop at least once before you can trust a
>key.

Oh, I can see it now. I start signing my articles, and thousands of
people start wandering into the lab here trying to get my public key.
No thanks.

>No, because 1) I don't trust unsigned posts.

Well now, I just went through a long explanation why I didn't think you
would trust unsigned posts, didn't I? That's why I said that the posting
with the "I always sign" statement was signed.

>2) I don't trust posts which are
>signed with keys I don't trust. Therefore, I would ignore the entire scenerio
>you just mentioned.

And many people would not.


John Stanley

unread,
Jun 30, 1995, 3:00:00 AM6/30/95
to
In article <3svkie$q...@panix3.panix.com>,

Seth Breidbart <se...@panix.com> wrote:
>PGP will tell me that the person who signed _this_ message is the
>_same_ person who signed all the previous messages with the same name.

No, PGP will not tell you that. PGP will tell you that the article you
are looking at was signed with a private key that matches the public
key you have on hand for someone.

Since I have not signed any previous articles, you cannot know that
any article that shows up with a signature passes the PGP test was
posted by the same person who posted the previous ones.

And, at the (not too distant) extreme of paranoia, you can't know that
two messages signed by the same private key are from the same person.
All you know is that they are signed by the same private key.

>In short, PGP tells me that "The person who signed _this_ article is
>the same person who signed _those other_ articles."

In short, not true. And, in short, not relevant to the concept of
"forgery", which is the specific argument that I am here for.


Jason and Heather

unread,
Jul 1, 1995, 3:00:00 AM7/1/95
to
John Stanley <sta...@skyking.oce.orst.edu> wrote:
> Jason and Heather <stei...@indirect.com> wrote:
> > John Stanley (sta...@skyking.OCE.ORST.EDU) wrote:
> > > Two examples where PGP doesn't do squat:

> >
> > amazing how PGP doesn't work if you don't use it.
>
> No, amazing how PGP doesn't work if either one of the parties doesn't
> use it.

no shit, sherlock.

> > > 2. Someone forges a PGP key for me and sends it to a key
> > > distribution center. Then they forge an article and sign it with my
> > > forged key. Your PGP forgery detector says "not a forgery".
> >

> > not if the person who wrote it knows anything about public key
> > crypto it doesn't.
>

> Well, let's assume that the person who wrote PGP knows "anything" about
> public key crypto. That means that you think that running PGP on a
> forged, signed article, using the forged public key that matches the
> forged private key the article was signed with, will report that the

> article is a forgery. Can you explain why this won't happen, given that

> the author of PGP himself mentions this as a problem?

because PGP doesn't ever _say_ that "this is a forgery".

the _most_ it can say is that a particular document was indeed signed
with the private counterpart of a public key that you hold. so what
does that mean? maybe nothing. a person who writes a forgery detector
will know this, and will not make broad, sweeping statements based
upon the fact that a signature matches.

the author of PGP knew this, and that's why he went to all the trouble
to write in the "web of trust" stuff. if the fact that a document had
a valid signature on it was all you needed, we wouldn't need to bother
with all that.

yes, _anyone_ can create a key with a particular name on it. but until
that key is verified, it doesn't mean squat, and any decent forgery
detector program will say as much.

"Post signed by unverified key <pres...@whitehouse.com>. Possible forgery."
"Post unsigned. Possible forgery."

the verdict is the same.

jason

--
There is nothing nobler or more admirable than when two people who see
eye to eye keep house as man and wife, confounding their enemies and
delighting their friends, as they themselves know better than anyone.
HOMER, The Odyssey

Tom Swiss

unread,
Jul 3, 1995, 3:00:00 AM7/3/95
to
stei...@bud.indirect.com (Jason and Heather) writes:
>
>yes, _anyone_ can create a key with a particular name on it. but until
>that key is verified, it doesn't mean squat, and any decent forgery
>detector program will say as much.
>
>"Post signed by unverified key <pres...@whitehouse.com>. Possible forgery."
>"Post unsigned. Possible forgery."
>
>the verdict is the same.

"Post signed by verified key <pres...@whitehouse.com>, but verifying
authority could have been spoofed. Possible forgery."

"Post signed by verified key <pres...@whitehouse.com>, but private
key could have been extracted from owner by use of mind-control drugs. Or
TEMPEST emissions. Or shoulder surfing. Or extra-terrestrial telepathy
machines, if you believe in that sort of thing. Possible forgery."

"Post signed by verified key <pres...@whitehouse.com>, but this
forgery detection program could just flat-out be lying to you. Possible
forgery."

"Post signed by verified key <pres...@whitehouse.com>, but your
recollection of reading this message could be a _Total Recall_ style
implanted memory. Possible forgery."

Epistemological issues aside, with enough resources any communication
can be faked. (Except maybe a face-to-face meeting with someone you know
extremely well; even then, there's a possibility that they've been
subverted by The Enemy. Heck, when I talk to myself, I'm not always sure
it's really me...) But we can say it more or less likely that a certain
communication was faked, based on the costs of doing so.

== Tom Swiss/t...@tis.com ==== "Born to die." === _I_ shot Montgomery Burns. ==
"What's so funny 'bout peace, love and understanding?" - Nick Lowe
"If at first you don't succeed, try, try, and try again. Then give
up. There's no use being a damned fool about it." -- W.C. Fields

Peter da Silva

unread,
Jul 5, 1995, 3:00:00 AM7/5/95
to
In article <3su3qp$t5v@snlsu1>,

Dom De Vitto <dev...@london.sinet.slb.com> wrote:
> That is exactly the point, and makes PGP brilliant and crap.

This is an inherent problem of *any* authentication system. You have to have
an authority that can verify that the identification provided by the system
is valid. This is true whether you're talking about PGP certificates or birth
certificates.

If this suffices to make PGP crap, why then so also does it make every scheme
that provides a mechanism for identifying people crap. For the flaws of the
one are shared by all.
--
Peter da Silva (NIC: PJD2) `-_-'
Network Management Technology Incorporated