Hey guys, this is a heads-up about Karl Denninger's new clean-news system. I haven't seen any posts on this list about it. His message describing the implementation is attached below, posted "publicly" on chi.internet. (skip the quoted stuff) Karl is about to send out cancel messages, cancelling _every_ Usenet binary that is not PGP-signed by someone registered with his system. He says that these cancels will only go out to people he explicitly peers with, and not Usenet at large. He then adds that what these peers do with the cancel msgs is their own business. Folks, the goal is good, but the implementation is bad. These cancel msgs will leak out to Usenet at large. History proves this; leaking of net.*, bofh.*, clari.*, etc. occurs all the time despite admins' best efforts. And when these cancels leak, every news server on Usenet will * suddenly be receiving _thousands_ of additional cancels, and * 99.9999% of the binaries out there will disappear from your servers. I do not want to be handling the support calls when this occurs. If you are interested in this issue, there is a discussion on news.admin.net-abuse.usenet, thread "Karl Denninger loses his marbles..." Or ask me, I'm more than happy to outline the technical ramifications of this, and why it's a bad idea, in more detail. I'll cut and paste from my e-mails to Karl. :) Jeff (news admin/consultant) P.S. Had mailer problems. Apologies if you are seeing this twice.
Path: news.teleport.com!uunet!in3.uu.net!nntp.ntr.net!news.maxwell.syr.edu!news-xfer.newsread.com!netaxs.com!newsread.com!news.mcs.net!ddsw1!news.mcs.net!not-for-mail From: karl@Denninger.Net (Karl Denninger) Newsgroups: chi.internet Subject: Re: MegsInet Newsgroup server Date: 12 Nov 1998 03:59:06 GMT Organization: Karls Sushi and Packet Smashers Message-ID: <72dmea$stt$1@Nntp1.mcs.net> References: <3647E943.3A3@spambusters.ml.org> <72dgku$jo6@enews4.newsguy.com> NNTP-Posting-Host: kdhome-2.pr.mcs.net X-Newsreader: trn 4.0-test69 (20 September 1998) Xref: news.teleport.com chi.internet:17477
In article <72dgku$jo6@enews4.newsguy.com>, Tommy the Terrorist <mayday@newsguy.com> wrote:
In article <3647E943.3A3@spambusters.ml.org> Clifton T. Sharp Jr., agent150@spambusters.ml.org writes:
There were some problems of late. One notable thing from the statistics is that we weren't getting our usual hundreds of thousands of articles from the MCI feed. Since C&W bought MCI's internet stuff, it seems like anything associated with the former MCI has gone straight to hell. It looks to me that as of now the problems are fixed; the newsgroups I follow have suddenly found hundreds of articles apiece.
Who's kidding who? I presume you guys have heard of a certain asshole in New York government (what a redundancy!) named Vacco? Presumably the problem is the collective flushing of digital toilets now that ISP's have become the new hunting ground for Evil Substances, etc.
The problem with this particular war is that nothing short of a total victory for the people, to keep anything and everything on ISP's, can possibly prevent the state aggressors from eating away at free forums of communications as fast as they can have their pet narks post child pornography (with impunity) to anywhere they want the police to "legitimately" attack and destroy. And if that happens, then the last permitted forum of free speech in America, or damn near anywhere else, is dead, and the only hope of humanity for political progress will be in violence so unrestrained and universal that the smallest and weakest of people have an equal power of destruction because it is unlimited for all. And that is what inevitably will happen, unless something worse happens.
Read this. It solves the problem. And yes, this system WILL be going online. The software is already working. The "Clean-News" System ======================= ABSTRACT: "Clean-News" is a means to identify the poster of binary data on Usenet, remove most illegal content, and create a presumption of accountability. IMPLEMENTATION - USER SIDE: The "Clean-News" servers will have a key-ring of PGP keys. Anyone wanting to post "unmolested" binaries does the following: 1. Creates a PGP key for either 2.6.2 or 5.0 of the PGP software. 2. Obtains, from the www.clean-news.org web site, a list of authorized signers of their PGP key. 3. Contacts one of those signers, follows their procedures (which may include the payment of a fee), produces appropriate identification demanded by that signer, and gets their public key *signed* by that organization or individual. That is, the signer *vouches* for the authenticity of the key; that it belongs to the person who claims to be represented, that the email address associated with it is valid, and creates and maintains appropriate records to back up that assertion. 4. Submits the SIGNED key to the clean-news.org system. This database (of signed keys) is PUBLIC. Anyone can query it given an article which is signed by said key and obtain the name, email address, AND SIGNER of the key in question. The person with the private key associated with the signed, public key is then free to post binaries on Usenet, and clean-news will not molest them. IMPLEMENTATION - SERVER SIDE: The "clean-news" system obtains a feed from major backbone sites. It accepts all articles sent to it and maintains no database. It speaks both the older "ihave" protocol as well as the "check/takethis" newer NNTP protocol. Upon receipt of an article, the software checks to see if the posting contains binary data. It looks for common encoding formats - UUENCODE and MIME image data, primarily. Textual messages are ignored. Binary messages are run through the PGP software, and the output of the PGP verification process is read back. This process returns one of several results: 1. No signature on the file at all. 2. A signature is on the file, but the key ID is not known. 3. A signature is on the file, and the key is known, but it is not certified as "trusted". 4. A signature is on the file, is valid, and the key is both known and has a level of trust associated with it. In cases 1 - 3, the clean-news system emits a cancel message for the article in question immediately upon receipt. It does this by following the convention established for NOCEMs and other "spam cancels"; that is, it prepends "cancel." to the Message ID, and emits the cancel with this synthetic message Id. It also returns the posting with the system identification "clean-news" in the PATH line to permit aliasing out of the clean-news feed by those site admins who do not want the cancels. In case 4, the binary is ignored, as textual messages are. IMPLICATIONS - USENET SITE ADMINS READ THIS: 1. If you DO NOT want the "Clean-News" cancels, you should alias out the site "clean-news" from your Usenet software. Note that doing this will REMOVE any presumption that you would otherwise gain by ACCEPTING this feed. 2. If you DO want the "Clean-News" cancels, then do nothing, and further, contact your upstream News peers and insure that THEY are not aliasing out the feed. 3. If you CANNOT obtain these cancels (because all your upstreams are aliasing them out), or if you want the BEST possible feed, contact feedme@clean-news.org by email. You will receive in response an automated email detailing how to obtain a direct feed of the clean-news cancels. Note that this feed is rather low in volume - while it emits MANY cancels, they are small articles. You MUST BE able to keep up with this feed - the feed software will NOT keep articles for more than a few hours before it "junks" them. The feed will come to you via a Diablo feed system and is UNIDIRECTIONAL. Attempting to connect back to the Diablo machine will fail. 4. If you want to pass these cancels on to your PEERS, be advised that some of them may consider this service to be a "bad thing". I recommend, but obviously cannot enforce, that such is noticed to your peers so they may alias out the feed if they do not want it. WHAT DOES THIS MEAN TO POSTERS: 1. The use of a valid key creates a *presumption*, but not proof, that the poster really is who they said they are. That is, enough to get a search warrant. If Kiddie Porn shows up with a signature, the TRUSTED SIGNER of the key is determinable. That signer must, to be considered a trusted signer, keep records suitable for interrogation based on a published policy (ie: "serve us with a subpoena", etc). The LEO in question then asks the signer for the data, and complies with the policy they have set (which may include obtaining a warrant and/or subpoena). They then get a search warrant for the alleged perpetrator of the transmission, and see if in fact the material in question is being emitted there using standard forensic techniques. 2. LEGITIMATE binary posters have nothing to fear. Anonymous binaries get cancelled instantly, as do any which are unauthenticated. Those which ARE authenticated are free to be posted, but your identity is known, its undeniably yours (since it WAS your private key used to sign the article) and if you post something "naughty" the LEOs have all they need to come after you. WHAT ARE MY RESPONSIBILITIES AS A USER OF THIS SYSTEM WHO SUBMITS A KEY? Your primary responsibility is to PROTECT YOUR PRIVATE KEY. It is *STRONGLY* recommended that you keep this key on a protected, safe, removable device (such as a floppy with write-protect enabled) and NOT let it out of your personal control. If your PRIVATE key is COMPROMISED (ie: you lose the disk, you have reason to believe someone has stolen a copy of the key file, etc) you should IMMEDIATELY contact the introducer (the organization or person you had sign the key) *AND* the clean-news system at "revoke@clean-news.org" by email. When you contact the clean-news system, SIGN YOUR REVOCATION REQUEST. DO NOT send anything other than a revocation request to the above address. NOTE THAT REVOCATION OF A KEY IS PERMANENT AND CANNOT BE REVERSED. You should ALSO immediately revoke the key from any other key rings that you may have registered this key with. Note that ANY message signed with your key will be PRESUMED to be issued by you *PERSONALLY*. For this reason you should take EXTREME care with your private key. If it is stolen and used for illicit purposes those transactions will be traced to *YOU*, and you could find yourself under investigation by either civil or criminal authorities for something you have not done. HOW DO YOU REVOKE A KEY IF IT IS COMPROMISED? Keys may be revoked by: 1. The person who owns it at any time (ie; "I lost my key disk"). 2. Any LEO who provides an affidavit that said key was used to post copyrighted or otherwise illegal material. 3. Any LEO who provides an affidavit that a trusted introducer is not in fact trusted (ie: cannot produce the records, or produces false records, regarding a key they signed). 4. A trusted introducer may revoke their signature of any person's key that they have signed, in the event they discover that the key does not in fact belong to the person claimed or identification was falsified. When a key is invalidated the owner of the key is notified by email that their key was removed, and why (which of the above categories "happened"). A cancelled or revoked key is removed from the key ring, and is treated exactly as if it was never submitted to the system. To revoke a key as the owner of the key, send a PGP-signed request to "revoke@clean-news.org". IF THE REQUEST IS NOT SIGNED OR THE SIGNATURE IS INVALID IT WILL BE IGNORED. Assuming that the signature is good, you will be notified by return email when the revocation is processed. IS THERE A COST FOR THIS? 1. Individuals do not pay to list keys. However, INTRODUCERS may charge for signing a key (at their discretion) and maintaining the records necessary to comply with identification requests. 2. Systems desiring a *direct* feed may be assessed a small charge to cover the operating expenses of the systems involved. NO CHARGE FOR THE FEED ITSELF IS MADE, NOR FOR THE PROCESSING - ONLY THE TRANSPORT. If you receive a feed of the cancels you are encouraged to propagate it to others on mutually-agreeable terms to others who are also willing to receive it. WHAT ABOUT PRIVACY ISSUES? 1. The records of the clean-news system are EXPLICITLY public. Ergo, submitting a public key to the system constitutes publication of that key, and the fact that it is signed by one or more organizations and individuals. HOWEVER, that, alone, is worthless to an interloper. The email address on the key does NOT have to be valid, nor does the name - it must only map to a unique person at the SIGNER'S location which can be disclosed through their policies. As such, there is no privacy issue on the keyring used by the clean-news system ITSELF. 2. Customers and users who have their keys signed by an introducer should make themselves aware of the privacy policies of the signer. IF YOU ARE NOT COMFORTABLE WITH THEIR PROCEDURES AND ASSURANCES, YOU SHOULD USE A DIFFERENT KEY SIGNER! -- -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization.
Wouldn't it be nice if people actually quoted things correctly.... Quoting from his FAQ as posted on inet-access. " THIS CANCEL ADVISORY SYSTEM IS OPT-IN; THE CANCELS WILL *NOT* BE GENERALLY INJECTED BACK INTO THE USENET NEWS STREAM. "
Oh, those who want to try to sink this with public opinion (won't work; anyone who's known me for more than a day knows how much I count that in my evaluations) don't have to bother telling the truth. - -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization. On Fri, Nov 13, 1998 at 06:00:15PM -0700, John M. Brown wrote:
Wouldn't it be nice if people actually quoted things correctly....
Quoting from his FAQ as posted on inet-access.
" THIS CANCEL ADVISORY SYSTEM IS OPT-IN; THE CANCELS WILL *NOT* BE GENERALLY INJECTED BACK INTO THE USENET NEWS STREAM. "
It sounds like you want to censor UseNet and you want to be the god that gets to do that. I think UseNet will survive you as it has survived everyone else. Everyone will OPT you OUT. I'm curious of several things. 1.) Did you consult any Internet standards group or organization about your plan for UseNet? 2.) What is your motivation political or profit? Or do you answer to a higher authority? At 07:25 PM 11/13/98 -0600, you wrote:
Oh, those who want to try to sink this with public opinion (won't work; anyone who's known me for more than a day knows how much I count that in my evaluations) don't have to bother telling the truth.
- -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization.
On Fri, Nov 13, 1998 at 06:00:15PM -0700, John M. Brown wrote:
Wouldn't it be nice if people actually quoted things correctly....
Quoting from his FAQ as posted on inet-access.
" THIS CANCEL ADVISORY SYSTEM IS OPT-IN; THE CANCELS WILL *NOT* BE GENERALLY INJECTED BACK INTO THE USENET NEWS STREAM. "
/------------------------------------------------\ | Alan Spicer (tech@ebiznet.com) NIC:AGS14 | | Systems Analyst / Administrator / Tech Support | | | | www.ebiznet.com | www.websgreatesthits.com | \------------------------------------------------/
On Sat, Nov 14, 1998 at 01:10:05PM -0500, Alan Spicer wrote:
It sounds like you want to censor UseNet and you want to be the god that gets to do that.
It sounds to me like you disagree with free speech and the right to decide what happens on private property - unless its what YOU demand others do.
I think UseNet will survive you as it has survived everyone else. Everyone will OPT you OUT. I'm curious of several things. 1.) Did you consult any Internet standards group or organization about your plan for UseNet?
Why should I? This isn't a standard.
2.) What is your motivation political or profit? Or do you answer to a higher authority?
Excuse me? That question made no sense; my views on this matter, and Usenet in general, are hardly new, as anyone who has known of me for the last 10 or so years is well aware. -- -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization.
At 07:25 PM 11/13/98 -0600, you wrote:
Oh, those who want to try to sink this with public opinion (won't work; anyone who's known me for more than a day knows how much I count that in my evaluations) don't have to bother telling the truth.
- -- Karl Denninger (karl@denninger.net) http://www.mcs.net/~karl I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization.
On Fri, Nov 13, 1998 at 06:00:15PM -0700, John M. Brown wrote:
Wouldn't it be nice if people actually quoted things correctly....
Quoting from his FAQ as posted on inet-access.
" THIS CANCEL ADVISORY SYSTEM IS OPT-IN; THE CANCELS WILL *NOT* BE GENERALLY INJECTED BACK INTO THE USENET NEWS STREAM. "
/------------------------------------------------\ | Alan Spicer (tech@ebiznet.com) NIC:AGS14 | | Systems Analyst / Administrator / Tech Support | | | | www.ebiznet.com | www.websgreatesthits.com | \------------------------------------------------/
At 01:10 PM 11/14/98 -0500, Alan Spicer wrote:
It sounds like you want to censor UseNet and you want to be the god that gets to do that. I think UseNet will survive you as it has survived everyone else. Everyone will OPT you OUT. I'm curious of several things. 1.) Did you consult any Internet standards group or organization about your plan for UseNet? 2.) What is your motivation political or profit? Or do you answer to a higher authority?
<SATIRE> You mean BESIDES the voices in his head? </SATIRE>
John M. Brown wrote:
Wouldn't it be nice if people actually quoted things correctly....
Quoting from his FAQ as posted on inet-access.
" THIS CANCEL ADVISORY SYSTEM IS OPT-IN; THE CANCELS WILL *NOT* BE GENERALLY INJECTED BACK INTO THE USENET NEWS STREAM. "
I presume you are referring to me. Here's the train of logic. Karl's system is opt-in. His cancels never make it to Usenet. Then something goes wrong, and cancels leak to Usenet. Now every Usenet news admin in the world must change their system, and/or every Usenet user in the world posting binaries must register with Karl's system. At that point, Karl's system is now opt-out. At that point, Karl's system is cancelling legitimate, on-topic posts made by users wholly unrelated to his new business and his customers. This entire line of logic depends on the likelihood of something going wrong with Karl's system, where cancels leak out onto Usenet at large. (Remember, for his "opt-in" claim to be true, his system must never fail.) Now we turn to history. _Every_ attempt to prevent article leakages on Usenet has failed. Chris Lewis' (?) example was ClariNet -- they have far more money, lawyers, and connections than Karl ever will, but they continue to battle leaks. The logic connection is now made. All news admin opinions I've read in the past 48 hours agree with my own -- cancel leakage is likely, if not inevitable. And if this wasn't enough justification, here's a further list of problems, which I sent to Karl and copied to a newsadmin list. Note the lack of response to certain key items in the second post. Jeff P.S. Sorry for the verbosity. My last public post on the subject. Karl will hang himself without my help :) [ First post -- my take on problems with his system -- he responded to all points ] 1) No accountability. If your goal was to make these cancels public, it would be trivial to shift the blame and put yourself in a position where the downstream peer gets all the heat. 2) No privacy. Requiring registration in order to post is a great idea for cutting down spam, but it's the Usenet equivalent of a poll tax. Individuals who do register have given up a slice of privacy in order to do so. Individuals who do not register may have their post canceled. Anonymity is treasured by many on Usenet. 3) No leak detection. I can guarantee that your cancels will leak all the time unless you peer only with clueful admins -- not just admins who pay a fee, or say they run a news site. Take a look at Usenet II and see how their software works, and how their network-within-a-network is set up. (even they have leaks, but it is less frequent than your system, in its current incarnation, will wind up) 4) Censorship. Cancelling means you are denying someone a voice. In this case, _your_ system denies anyone who has not registered with your service a voice. And if one of your peers decides to leak your cancels, you are now censoring the entirety of Usenet. 5) Attacking the wrong end of the problem. Once again, an anti-spam solution is presented that tackles the problem after it becomes a problem -- after the article has been posted, and after the article hits all the peers on the backbone. The net effect of your plan is to _increase_ the bandwidth consumed by Usenet. [ Second post -- he objected to the last sentence, and asserted that his system catches 50% of the bad articles before they reach news sites. I respond... ] Cancels have always increased bandwidth. The past few years have seen an increase in bandwidth, in no small part BECAUSE of cancels. It's an arms race -- cancels come out more quickly, so spammers post more, more quickly. Graphs show that most articles reach well-connected sites within 30-60 seconds of being posted. Almost all articles reach sites within 10-15 minutes of being posted. Because of high-speed news routing, a cancel that arrives _before_ the actual article is the exception, not the rule. One must introduce artificial delays before early cancels become effective at all. Hard numbers have been posted on news.software.nntp and news.admin.net-abuse.usenet proving this. I'm interested to see if you have anything beyond wild guesses disputing this. [ no response to any of the 'hard facts' above... ] Finally, the biggest problem with your proposal is cancel leakage. The cancels WILL leak. History has proven this time and time again with semi-private hierarchies. And when the cancels leak, two things will happen. First, the resulting cancel storm will kill many slower sites. Second, when the binaries disappear all over Usenet, you will have _thousands_ calling their ISPs and complaining. Maybe one or two will sign up with your system. The rest will put their money, influence, and muscle towards cutting your peers and you off Usenet. Please don't interpret this as a threat -- simply a prediction. To summarize, you have a worthy goal. Nobody on any newsgroup or mailing list has disputed this. But your implementation, your means to an end, leaves much to be desired.
participants (5)
-
Alan Spicer
-
Derek Balling
-
Jeff Garzik
-
John M. Brown
-
Karl Denninger