Hey guys, this is a heads-up about Karl Denninger's new clean-news system. I haven't seen any posts on this list about it. His message describing the implementation is attached below, posted "publicly" on chi.internet. (skip the quoted stuff) Karl is about to send out cancel messages, cancelling _every_ Usenet binary that is not PGP-signed by someone registered with his system. He says that these cancels will only go out to people he explicitly peers with, and not Usenet at large. He then adds that what these peers do with the cancel msgs is their own business. Folks, the goal is good, but the implementation is bad. These cancel msgs will leak out to Usenet at large. History proves this; leaking of net.*, bofh.*, clari.*, etc. occurs all the time despite admins' best efforts. And when these cancels leak, every news server on Usenet will * suddenly be receiving _thousands_ of additional cancels, and * 99.9999% of the binaries out there will disappear from your servers. I do not want to be handling the support calls when this occurs. If you are interested in this issue, there is a discussion on news.admin.net-abuse.usenet, thread "Karl Denninger loses his marbles..." Or ask me, I'm more than happy to outline the technical ramifications of this, and why it's a bad idea, in more detail. I'll cut and paste from my e-mails to Karl. :) Jeff (news admin/consultant) P.S. Had mailer problems. Apologies if you are seeing this twice.
Path: news.teleport.com!uunet!in3.uu.net!nntp.ntr.net!news.maxwell.syr.edu!news-xfer.newsread.com!netaxs.com!newsread.com!news.mcs.net!ddsw1!news.mcs.net!not-for-mail From: karl@Denninger.Net (Karl Denninger) Newsgroups: chi.internet Subject: Re: MegsInet Newsgroup server Date: 12 Nov 1998 03:59:06 GMT Organization: Karls Sushi and Packet Smashers Message-ID: <72dmea$stt$1@Nntp1.mcs.net> References: <3647E943.3A3@spambusters.ml.org> <72dgku$jo6@enews4.newsguy.com> NNTP-Posting-Host: kdhome-2.pr.mcs.net X-Newsreader: trn 4.0-test69 (20 September 1998) Xref: news.teleport.com chi.internet:17477
In article <72dgku$jo6@enews4.newsguy.com>, Tommy the Terrorist <mayday@newsguy.com> wrote:
In article <3647E943.3A3@spambusters.ml.org> Clifton T. Sharp Jr., agent150@spambusters.ml.org writes:
There were some problems of late. One notable thing from the statistics is that we weren't getting our usual hundreds of thousands of articles from the MCI feed. Since C&W bought MCI's internet stuff, it seems like anything associated with the former MCI has gone straight to hell. It looks to me that as of now the problems are fixed; the newsgroups I follow have suddenly found hundreds of articles apiece.
Who's kidding who? I presume you guys have heard of a certain asshole in New York government (what a redundancy!) named Vacco? Presumably the problem is the collective flushing of digital toilets now that ISP's have become the new hunting ground for Evil Substances, etc.
The problem with this particular war is that nothing short of a total victory for the people, to keep anything and everything on ISP's, can possibly prevent the state aggressors from eating away at free forums of communications as fast as they can have their pet narks post child pornography (with impunity) to anywhere they want the police to "legitimately" attack and destroy. And if that happens, then the last permitted forum of free speech in America, or damn near anywhere else, is dead, and the only hope of humanity for political progress will be in violence so unrestrained and universal that the smallest and weakest of people have an equal power of destruction because it is unlimited for all. And that is what inevitably will happen, unless something worse happens.
Read this. It solves the problem. And yes, this system WILL be going online. The software is already working. The "Clean-News" System ======================= ABSTRACT: "Clean-News" is a means to identify the poster of binary data on Usenet, remove most illegal content, and create a presumption of accountability. IMPLEMENTATION - USER SIDE: The "Clean-News" servers will have a key-ring of PGP keys. Anyone wanting to post "unmolested" binaries does the following: 1. Creates a PGP key for either 2.6.2 or 5.0 of the PGP software. 2. Obtains, from the www.clean-news.org web site, a list of authorized signers of their PGP key. 3. Contacts one of those signers, follows their procedures (which may include the payment of a fee), produces appropriate identification demanded by that signer, and gets their public key *signed* by that organization or individual. That is, the signer *vouches* for the authenticity of the key; that it belongs to the person who claims to be represented, that the email address associated with it is valid, and creates and maintains appropriate records to back up that assertion. 4. Submits the SIGNED key to the clean-news.org system. This database (of signed keys) is PUBLIC. Anyone can query it given an article which is signed by said key and obtain the name, email address, AND SIGNER of the key in question. The person with the private key associated with the signed, public key is then free to post binaries on Usenet, and clean-news will not molest them. IMPLEMENTATION - SERVER SIDE: The "clean-news" system obtains a feed from major backbone sites. It accepts all articles sent to it and maintains no database. It speaks both the older "ihave" protocol as well as the "check/takethis" newer NNTP protocol. Upon receipt of an article, the software checks to see if the posting contains binary data. It looks for common encoding formats - UUENCODE and MIME image data, primarily. Textual messages are ignored. Binary messages are run through the PGP software, and the output of the PGP verification process is read back. This process returns one of several results: 1. No signature on the file at all. 2. A signature is on the file, but the key ID is not known. 3. A signature is on the file, and the key is known, but it is not certified as "trusted". 4. A signature is on the file, is valid, and the key is both known and has a level of trust associated with it. In cases 1 - 3, the clean-news system emits a cancel message for the article in question immediately upon receipt. It does this by following the convention established for NOCEMs and other "spam cancels"; that is, it prepends "cancel." to the Message ID, and emits the cancel with this synthetic message Id. It also returns the posting with the system identification "clean-news" in the PATH line to permit aliasing out of the clean-news feed by those site admins who do not want the cancels. In case 4, the binary is ignored, as textual messages are. IMPLICATIONS - USENET SITE ADMINS READ THIS: 1. If you DO NOT want the "Clean-News" cancels, you should alias out the site "clean-news" from your Usenet software. Note that doing this will REMOVE any presumption that you would otherwise gain by ACCEPTING this feed. 2. If you DO want the "Clean-News" cancels, then do nothing, and further, contact your upstream News peers and insure that THEY are not aliasing out the feed. 3. If you CANNOT obtain these cancels (because all your upstreams are aliasing them out), or if you want the BEST possible feed, contact feedme@clean-news.org by email. You will receive in response an automated email detailing how to obtain a direct feed of the clean-news cancels. Note that this feed is rather low in volume - while it emits MANY cancels, they are small articles. You MUST BE able to keep up with this feed - the feed software will NOT keep articles for more than a few hours before it "junks" them. The feed will come to you via a Diablo feed system and is UNIDIRECTIONAL. Attempting to connect back to the Diablo machine will fail. 4. If you want to pass these cancels on to your PEERS, be advised that some of them may consider this service to be a "bad thing". I recommend, but obviously cannot enforce, that such is noticed to your peers so they may alias out the feed if they do not want it. WHAT DOES THIS MEAN TO POSTERS: 1. The use of a valid key creates a *presumption*, but not proof, that the poster really is who they said they are. That is, enough to get a search warrant. If Kiddie Porn shows up with a signature, the TRUSTED SIGNER of the key is determinable. That signer must, to be considered a trusted signer, keep records suitable for interrogation based on a published policy (ie: "serve us with a subpoena", etc). The LEO in question then asks the signer for the data, and complies with the policy they have set (which may include obtaining a warrant and/or subpoena). They then get a search warrant for the alleged perpetrator of the transmission, and see if in fact the material in question is being emitted there using standard forensic techniques. 2. LEGITIMATE binary posters have nothing to fear. Anonymous binaries get cancelled instantly, as do any which are unauthenticated. Those which ARE authenticated are free to be posted, but your identity is known, its undeniably yours (since it WAS your private key used to sign the article) and if you post something "naughty" the LEOs have all they need to come after you. WHAT ARE MY RESPONSIBILITIES AS A USER OF THIS SYSTEM WHO SUBMITS A KEY? Your primary responsibility is to PROTECT YOUR PRIVATE KEY. It is *STRONGLY* recommended that you keep this key on a protected, safe, removable device (such as a floppy with write-protect enabled) and NOT let it out of your personal control. If your PRIVATE key is COMPROMISED (ie: you lose the disk, you have reason to believe someone has stolen a copy of the key file, etc) you should IMMEDIATELY contact the introducer (the organization or person you had sign the key) *AND* the clean-news system at "revoke@clean-news.org" by email. When you contact the clean-news system, SIGN YOUR REVOCATION REQUEST. DO NOT send anything other than a revocation request to the above address. NOTE THAT REVOCATION OF A KEY IS PERMANENT AND CANNOT BE REVERSED. You should ALSO immediately revoke the key from any other key rings that you may have registered this key with. Note that ANY message signed with your key will be PRESUMED to be issued by you *PERSONALLY*. For this reason you should take EXTREME care with your private key. If it is stolen and used for illicit purposes those transactions will be traced to *YOU*, and you could find yourself under investigation by either civil or criminal authorities for something you have not done. HOW DO YOU REVOKE A KEY IF IT IS COMPROMISED? Keys may be revoked by: 1. The person who owns it at any time (ie; "I lost my key disk"). 2. Any LEO who provides an affidavit that said key was used to post copyrighted or otherwise illegal material. 3. Any LEO who provides an affidavit that a trusted introducer is not in fact trusted (ie: cannot produce the records, or produces false records, regarding a key they signed). 4. A trusted introducer may revoke their signature of any person's key that they have signed, in the event they discover that the key does not in fact belong to the person claimed or identification was falsified. When a key is invalidated the owner of the key is notified by email that their key was removed, and why (which of the above categories "happened"). A cancelled or revoked key is removed from the key ring, and is treated exactly as if it was never submitted to the system. To revoke a key as the owner of the key, send a PGP-signed request to "revoke@clean-news.org". IF THE REQUEST IS NOT SIGNED OR THE SIGNATURE IS INVALID IT WILL BE IGNORED. Assuming that the signature is good, you will be notified by return email when the revocation is processed. IS THERE A COST FOR THIS? 1. Individuals do not pay to list keys. However, INTRODUCERS may charge for signing a key (at their discretion) and maintaining the records necessary to comply with identification requests. 2. Systems desiring a *direct* feed may be assessed a small charge to cover the operating expenses of the systems involved. NO CHARGE FOR THE FEED ITSELF IS MADE, NOR FOR THE PROCESSING - ONLY THE TRANSPORT. If you receive a feed of the cancels you are encouraged to propagate it to others on mutually-agreeable terms to others who are also willing to receive it. WHAT ABOUT PRIVACY ISSUES? 1. The records of the clean-news system are EXPLICITLY public. Ergo, submitting a public key to the system constitutes publication of that key, and the fact that it is signed by one or more organizations and individuals. HOWEVER, that, alone, is worthless to an interloper. The email address on the key does NOT have to be valid, nor does the name - it must only map to a unique person at the SIGNER'S location which can be disclosed through their policies. As such, there is no privacy issue on the keyring used by the clean-news system ITSELF. 2. Customers and users who have their keys signed by an introducer should make themselves aware of the privacy policies of the signer. IF YOU ARE NOT COMFORTABLE WITH THEIR PROCEDURES AND ASSURANCES, YOU SHOULD USE A DIFFERENT KEY SIGNER! -- -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization.