From: paulp@nic.cerf.net (Paul Phillips) Newsgroups: news.admin.misc,news.admin.policy,news.future,alt.stop.spamming,alt.current-events.net-abuse Subject: Crazy thought: spam script Date: 11 Nov 1994 07:52:10 GMT The age old debate on comp.security.* and similar groups is that of STO (security through obscurity) vs. full disclosure. I have watched and participated in this conflict for some time, and both my experience and common sense tell me that full disclosure is far more effective for ensuring computer and network security than relying on STO. Usenet, as many of us know, relies almost entirely on STO to stay alive. It is not difficult to forge posts, forge cancels, forge moderator approval, or spam Usenet; the only real force preventing these from happening en masse is obscurity. And this too shall fall. Usenet of the future (Usenet++ as I have called it before) will require modern techniques for sender verification and other security measures. Such measures are not going to come about simply because we would like them, necessity being the mother of invention. With certain forces that shall remain nameless speeding the end of obscurity towards us, I am idly wondering whether it might be worthwhile to bring action to the fore. Which brings me to the subject line. Say I wrote a perl script called "spam" that exploited the ease of massive posting to Usenet; the user simply types spam and the file goes out to every newsgroup available at that site. Then I make this available via anonymous ftp. Just for fun, imagine I also write "approve" for forging moderator approval, "cancel" for forging cancels given a message ID, and "postas" for forging origination and adding convincing path elements, and make these available as well. What effects on Usenet? Please consider this for a moment before hitting that F key. I am thoroughly convinced that Usenet will never die; it will simply change. Such drastic measures as I propose above might cause a heart stoppage, but Usenet would be reborn anew. I am technically capable (although this will not happen due to time constraints) of writing news software that incorporates authentication and other techniques of securing Usenet. There are others much more capable than I. Would these measure speed the development and deployment of that software, or cause unduly harsh growing pains? Would the threat of making such scripts available hurry the development of more secure software? I promise you that the exploit scripts published by 8lgm for various security holes spurred vendor action (for certain definitions of the word "action".) Usenet software generally written by volunteers, this is a different paradigm and I recognize that. I am interested in feedback on this idea, however. -PSP -- "Now, for a few little pieces of de facto history, and contemporary events , to show how raving insane this passage actually is." -- Andrew Beckwith alt.usenet.kooks