FORGED CANCELS of posts on n.a.n-a.m

[Dr. Dimitri Vulis]

[A quick last word before I leave for a wilderness area with no net.access.]

In article <199510051540.IAA23612 at ix.ix.netcom.com>, Bill Stewart
<stewarts at ix.netcom.com> writes:
[Hujskonen-Franz]
>Aside from the forged-From:-bogus-cancel spam /r$ proposed, this has
>the problem that it still only allows the originator to cancel a message,
>and not either the moderator of a moderated group or a Good Spam-canceller
>like CancelMoose, as well as stopping censors and cancel-spammers.

The respected CancelMoose no longer posts cancels, but posts PGP-signed NoCeM
notices. In fact, CancelMoose's web site has some nice things to say about the
Hujskonen-Franz proposal. I quote URL: http://www.cm.org/about-cancels.html:

]About Cancels
]*************
]
]A number of people have asked about the relationship between this project
]and spam cancels. IMHO, the point is moot.
]
]I envision unauthenticated cancel messages will rapidly become obsolete,
]once people start posting menu driven cancelbots. If we want cancels back
]we'll have to authenticate them.
]
]Taneli Huuskonen first suggested this scheme to me, and I think it's an
]excellent idea.
]
]For every posted message there is a "Cancel-Key" which is the message-id of
]the message hashed with a secret password. The MD5 of the cancel-key is the
]"Cancel-Challenge" which is posted as a header in every post you make. To
]cancel that post, the cancel message must have a copy of the Cancel-Key in
]the headers. An admin can configure his news software to add another
]Cancel-Challenge to the post, if he/she wishes to retain the rights to
]cancel it. The only people this leaves out in the cold is the moderators--
]this does not allow them to protect their newsgroup-- perhaps a public key
]based system to "prove" moderation will prove necessary, but that will
]require some MAJOR reworkings of news...
]
]Email: moose at cm.org

I urge cypherpunks to read the NoCeM information on URL http://www.cm.org/ and
to jump on the NoCeM bandwagon (such as, start posting PGP-signed "show"
ratings for articles we find worth highlighting).

I see nothing in RFC 1036 that says that a moderator of a newsgroup should be
able to cancel other people's posts in his/her group. There's an old Usenet
tradition (bad, IMO) that when Alice posts an article in Bob's moderated group
and inserts her own "Approved:" header, then Bob is expected to impersonate
Alice and to post a cancel in Alice's name for the unauthorized article. But,
at present, nothing prevents some Charlie from impersonating Bob impersonating
Alice and forging a cancel for an article that actually was approved by Bob.

Basically, if Alice posts an article with her own "Approved:" header in Bob's
newsgroup, then this problem is not going to be solved by just cancelling her
article(s). If Alice keeps doing that, it becomes necessary to talk to her
feeds about aliasing her site, and the cancels have little to do with it.

IMVHO, only the author should be able to cancel her own postings in a moderated
group. If the posting was not properly approved, she should cancel them to show
good will. Once Bob has _approved Alice's posting in his moderated group, he
shouldn't be able to impersonate Alice to cancel it, but should ask Alice.

(And all this can be done with the Hujskonen-Franz scheme.)

Bob can instead protect his newsgroup by posting a PGP-signed NoCeM notice:
 Action: hide
 Type: unauthorized posting
or by asking someone widely trusted, like CM, to post such a notice.

Likewise when Brad Templeton and/or Co$ (sorry Brad for lumping you together :)
see an article which they think quotes their copyrighted material, they should
not forge a cancel, but post a PGP-signed NoCeM notice:
 Action: hide
 Type: copyright violation
I wonder how many sites would honor CancelPoodle's NoCeM notices? :)

The Hujskonen-Franz scheme would still allow Clarinet to continue massively
canceling/superseding their own articles.

Continuing to quote Bill Stewart:
>Cancellation is a sufficiently local-policy-dependent issue, and reasonably
>low volume compared to the rest of news, that it probably makes sense for
>the various news programs to hand cancellation requests off to an external
>program, which can be locally modified as desired.

It would be nice if inn and nn called the same external program to handle
cancels. Now nn's database easily gets out of sync.

With an external program, each site could choose to honor only authenticated
cancels and ignore 3rd party NoCeM's (but let the users mark NoCeM'd articles
as read, if they want to); or honor all cancels; or something in between.

>One approach is to add digital signature and verification capability
>to News, at least to support cancels; doing this in an outboard
>cancel-daemon is obviously easier.  RIPEM-SIG is a signature-only
>version of RIPEM which is exportable, probably just in binaries.
>The local cancel-daemon could accept cancellation requests that were signed
>by anybody on the list of locally-approved cancellers; one site could accept
>cancels from Cancelmoose, newsgroup moderators, and Helena Kobrin;
>another could do authors only.  This would, of course, encourage people
>to get their digital signatures out there to allow themselves to cancel
>their own messages.

Any idea that encourages people to use digital signatures is good. However the
Hujskonen-Franz proposal allows a total stranger to post an article to your
news spool; then to cancel this article, with your being reasonable sure that
the cancel came from the same total stranger, and without establishing any
further trust for the stranger. There are tens of millions of people with
Usenet access. It's an overkill to collect a key from each one to allow them to
cancel their articles. NoCeM is a very promising protocol for allowing trusted
third parties to eliminate articles by posting PGP-signed notices. (e.g.,
CancelMoose new way of killing spam -- no more forged cancels from CM!)

ObMoosePoem: :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
Moose, Moose, wonderful Moose!
Tramples spam with a hoof;
Spammers go through the roof.
Moose, Moose, wonderful Moose!
Rids us of ugly spam.
Fond of the Moose I am.
Moose, Moose, wonderful Moose!
:-) I have to go _right _now.

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps