Hold on to your news servers

Fri Nov 13 19:20:17 UTC 1998

Hey guys, this is a heads-up about Karl Denninger's new clean-news
system.  I haven't seen any posts on this list about it.  His message
describing the implementation is attached below, posted "publicly" on
chi.internet.  (skip the quoted stuff)

Karl is about to send out cancel messages, cancelling _every_ Usenet
binary that is not PGP-signed by someone registered with his system.
He says that these cancels will only go out to people he explicitly
peers with, and not Usenet at large.  He then adds that what these
peers do with the cancel msgs is their own business.

Folks, the goal is good, but the implementation is bad.

These cancel msgs will leak out to Usenet at large.  History proves
this; leaking of net.*, bofh.*, clari.*, etc. occurs all the time
despite admins' best efforts.

And when these cancels leak, every news server on Usenet will
* suddenly be receiving _thousands_ of additional cancels, and
* 99.9999% of the binaries out there will disappear from your servers.

I do not want to be handling the support calls when this occurs.

If you are interested in this issue, there is a discussion on
news.admin.net-abuse.usenet, thread "Karl Denninger loses his marbles..."

Or ask me, I'm more than happy to outline the technical ramifications
of this, and why it's a bad idea, in more detail.  I'll cut and paste
from my e-mails to Karl.  :)

	Jeff
	(news admin/consultant)

P.S. Had mailer problems.  Apologies if you are seeing this twice.

>Path: news.teleport.com!uunet!in3.uu.net!nntp.ntr.net!news.maxwell.syr.edu!news-xfer.newsread.com!netaxs.com!newsread.com!news.mcs.net!ddsw1!news.mcs.net!not-for-mail
>From: karl at Denninger.Net (Karl Denninger)
Newsgroups: chi.internet
Subject: Re: MegsInet Newsgroup server
Date: 12 Nov 1998 03:59:06 GMT
Organization: Karls Sushi and Packet Smashers
Message-ID: <72dmea$stt$1 at Nntp1.mcs.net>
References: <3647E943.3A3 at spambusters.ml.org> <72dgku$jo6 at enews4.newsguy.com>
NNTP-Posting-Host: kdhome-2.pr.mcs.net
X-Newsreader: trn 4.0-test69 (20 September 1998)
Xref: news.teleport.com chi.internet:17477

In article <72dgku$jo6 at enews4.newsguy.com>,
Tommy the Terrorist  <mayday at newsguy.com> wrote:
>In article <3647E943.3A3 at spambusters.ml.org> Clifton T. Sharp Jr.,
>agent150 at spambusters.ml.org writes:
>>There were some problems of late. One notable thing from the statistics
>>is that we weren't getting our usual hundreds of thousands of articles
>>from the MCI feed. Since C&W bought MCI's internet stuff, it seems like
>>anything associated with the former MCI has gone straight to hell. It
>>looks to me that as of now the problems are fixed; the newsgroups I follow
>>have suddenly found hundreds of articles apiece.
>
>Who's kidding who?  I presume you guys have heard of a certain asshole in
>New York government (what a redundancy!) named Vacco?  Presumably the
>problem is the collective flushing of digital toilets now that ISP's have
>become the new hunting ground for Evil Substances, etc.
>
>The problem with this particular war is that nothing short of a total
>victory for the people, to keep anything and everything on ISP's, can
>possibly prevent the state aggressors from eating away at free forums of
>communications as fast as they can have their pet narks post child
>pornography (with impunity) to anywhere they want the police to
>"legitimately" attack and destroy.  And if that happens, then the last
>permitted forum of free speech in America, or damn near anywhere else, is
>dead, and the only hope of humanity for political progress will be in
>violence so unrestrained and universal that the smallest and weakest of
>people have an equal power of destruction because it is unlimited for
>all.  And that is what inevitably will happen, unless something worse
>happens.

Read this.  It solves the problem.

And yes, this system WILL be going online.  The software is already working.

The "Clean-News" System 
=======================

ABSTRACT:

"Clean-News" is a means to identify the poster of binary data
on Usenet, remove most illegal content, and create a presumption of
accountability.

IMPLEMENTATION - USER SIDE:

The "Clean-News" servers will have a key-ring of PGP keys.  Anyone wanting 
to post "unmolested" binaries does the following:

1.	Creates a PGP key for either 2.6.2 or 5.0 of the PGP software.

2.	Obtains, from the www.clean-news.org web site, a list of authorized
	signers of their PGP key.

3.	Contacts one of those signers, follows their procedures (which may
	include the payment of a fee), produces appropriate identification
	demanded by that signer, and gets their public key *signed* by that
	organization or individual.  That is, the signer *vouches* for the
	authenticity of the key; that it belongs to the person who claims
	to be represented, that the email address associated with it is
	valid, and creates and maintains appropriate records to back up
	that assertion.

4.	Submits the SIGNED key to the clean-news.org system.

This database (of signed keys) is PUBLIC.  Anyone can query it given an
article which is signed by said key and obtain the name, email address,
AND SIGNER of the key in question.

The person with the private key associated with the signed, public key
is then free to post binaries on Usenet, and clean-news will not molest
them.

IMPLEMENTATION - SERVER SIDE:

The "clean-news" system obtains a feed from major backbone sites.  It
accepts all articles sent to it and maintains no database.  It speaks 
both the older "ihave" protocol as well as the "check/takethis" newer 
NNTP protocol.  

Upon receipt of an article, the software checks to see if the posting
contains binary data.  It looks for common encoding formats - UUENCODE
and MIME image data, primarily.  

Textual messages are ignored.

Binary messages are run through the PGP software, and the output of
the PGP verification process is read back.  This process returns one
of several results:

1.	No signature on the file at all.

2.	A signature is on the file, but the key ID is not known.

3.	A signature is on the file, and the key is known, but it is
	not certified as "trusted".

4.	A signature is on the file, is valid, and the key is both
	known and has a level of trust associated with it.

In cases 1 - 3, the clean-news system emits a cancel message for the article
in question immediately upon receipt.  It does this by following the
convention established for NOCEMs and other "spam cancels"; that is, it
prepends "cancel." to the Message ID, and emits the cancel with this
synthetic message Id.  It also returns the posting with the system
identification "clean-news" in the PATH line to permit aliasing out
of the clean-news feed by those site admins who do not want the cancels.

In case 4, the binary is ignored, as textual messages are.

IMPLICATIONS - USENET SITE ADMINS READ THIS:

1.	If you DO NOT want the "Clean-News" cancels, you should alias out
	the site "clean-news" from your Usenet software.  Note that doing
	this will REMOVE any presumption that you would otherwise gain
	by ACCEPTING this feed.

2.	If you DO want the "Clean-News" cancels, then do nothing, and 
	further, contact your upstream News peers and insure that THEY
	are not aliasing out the feed.

3.	If you CANNOT obtain these cancels (because all your upstreams
	are aliasing them out), or if you want the BEST possible feed,
	contact feedme at clean-news.org by email.  You will receive in
	response an automated email detailing how to obtain a direct 
	feed of the clean-news cancels.

	Note that this feed is rather low in volume - while it emits 
	MANY cancels, they are small articles.  You MUST BE able to 
	keep up with this feed - the feed software will NOT keep 
	articles for more than a few hours before it "junks" them.
	The feed will come to you via a Diablo feed system and is 
	UNIDIRECTIONAL.  Attempting to connect back to the Diablo
	machine will fail.

4.	If you want to pass these cancels on to your PEERS, be advised
	that some of them may consider this service to be a "bad thing".
	I recommend, but obviously cannot enforce, that such is noticed
	to your peers so they may alias out the feed if they do not 
	want it.

WHAT DOES THIS MEAN TO POSTERS:

1.	The use of a valid key creates a *presumption*, but not proof, 
	that the poster really is who they said they are.  That is, enough 
	to get a search warrant.  If Kiddie Porn shows up with a signature, 
	the TRUSTED SIGNER of the key is determinable.  That signer must,
	to be considered a trusted signer, keep records suitable for
	interrogation based on a published policy (ie: "serve us with a
	subpoena", etc).

	The LEO in question then asks the signer for the data, and complies
	with the policy they have set (which may include obtaining a warrant
	and/or subpoena).  They then get a search warrant for the alleged
	perpetrator of the transmission, and see if in fact the material
	in question is being emitted there using standard forensic
	techniques.

2.	LEGITIMATE binary posters have nothing to fear.  Anonymous binaries 
	get cancelled instantly, as do any which are unauthenticated.  
	Those which ARE authenticated are free to be posted, but your 
	identity is known, its undeniably yours (since it WAS your private 
	key used to sign the article) and if you post something "naughty" 
	the LEOs have all they need to come after you.

WHAT ARE MY RESPONSIBILITIES AS A USER OF THIS SYSTEM WHO SUBMITS A KEY?

Your primary responsibility is to PROTECT YOUR PRIVATE KEY.  It is
*STRONGLY* recommended that you keep this key on a protected, safe,
removable device (such as a floppy with write-protect enabled) and NOT 
let it out of your personal control.

If your PRIVATE key is COMPROMISED (ie: you lose the disk, you have reason 
to believe someone has stolen a copy of the key file, etc) you should
IMMEDIATELY contact the introducer (the organization or person you had sign
the key) *AND* the clean-news system at "revoke at clean-news.org" by email.
When you contact the clean-news system, SIGN YOUR REVOCATION REQUEST.
DO NOT send anything other than a revocation request to the above address.
NOTE THAT REVOCATION OF A KEY IS PERMANENT AND CANNOT BE REVERSED.
You should ALSO immediately revoke the key from any other key rings 
that you may have registered this key with.

Note that ANY message signed with your key will be PRESUMED to be issued
by you *PERSONALLY*.  For this reason you should take EXTREME care with
your private key.  If it is stolen and used for illicit purposes those
transactions will be traced to *YOU*, and you could find yourself under
investigation by either civil or criminal authorities for something you 
have not done.

HOW DO YOU REVOKE A KEY IF IT IS COMPROMISED?

Keys may be revoked by:

1.	The person who owns it at any time (ie; "I lost my key disk").

2.	Any LEO who provides an affidavit that said key was used to
	post copyrighted or otherwise illegal material.  

3.	Any LEO who provides an affidavit that a trusted introducer
	is not in fact trusted (ie: cannot produce the records, or produces
	false records, regarding a key they signed).

4.	A trusted introducer may revoke their signature of any person's key 
	that they have signed, in the event they discover that the key does 
	not in fact belong to the person claimed or identification was
	falsified.

When a key is invalidated the owner of the key is notified by email that 
their key was removed, and why (which of the above categories "happened").

A cancelled or revoked key is removed from the key ring, and is treated
exactly as if it was never submitted to the system.

To revoke a key as the owner of the key, send a PGP-signed request
to "revoke at clean-news.org".  IF THE REQUEST IS NOT SIGNED OR THE SIGNATURE
IS INVALID IT WILL BE IGNORED.  Assuming that the signature is good, you 
will be notified by return email when the revocation is processed.

IS THERE A COST FOR THIS?

1.	Individuals do not pay to list keys.  However, INTRODUCERS may 
	charge for signing a key (at their discretion) and maintaining 
	the records necessary to comply with identification requests.

2.	Systems desiring a *direct* feed may be assessed a small charge
	to cover the operating expenses of the systems involved.  NO CHARGE
	FOR THE FEED ITSELF IS MADE, NOR FOR THE PROCESSING - ONLY THE
	TRANSPORT.  If you receive a feed of the cancels you are encouraged
	to propagate it to others on mutually-agreeable terms to others
	who are also willing to receive it.

WHAT ABOUT PRIVACY ISSUES?

1.	The records of the clean-news system are EXPLICITLY public.  
	Ergo, submitting a public key to the system constitutes 
	publication of that key, and the fact that it is signed by one
	or more organizations and individuals.  HOWEVER, that, alone, is
	worthless to an interloper.  The email address on the key does NOT
	have to be valid, nor does the name - it must only map to a unique
	person at the SIGNER'S location which can be disclosed through
	their policies.  As such, there is no privacy issue on the keyring
	used by the clean-news system ITSELF.

2.	Customers and users who have their keys signed by an introducer
	should make themselves aware of the privacy policies of the signer.
	IF YOU ARE NOT COMFORTABLE WITH THEIR PROCEDURES AND ASSURANCES, YOU
	SHOULD USE A DIFFERENT KEY SIGNER!

--
-- 
Karl Denninger (karl at denninger.net) http://www.mcs.net/~karl
I ain't even *authorized* to speak for anyone other than myself, so give
up now on trying to associate my words with any particular organization.