nanog mailing list archives

Re: Hold on to your news servers

From: Dean Anderson <dean () av8 com>
Date: Fri, 13 Nov 1998 18:57:47 -0500

Sheesh.  I'm getting tired of increasingly large logs of cancels and
reposts. I think we should start treating all cancels that are sent out by
someone who is not a moderator or the original poster as an abuse.

Anyone who cancels someone elses post who is not a moderator or the
original poster should lose their account/job at ISP/etc.

So lets start sending in complaints...


At 02:20 PM 11/13/1998 -0500, Jeff Garzik wrote:

Hey guys, this is a heads-up about Karl Denninger's new clean-news
system.  I haven't seen any posts on this list about it.  His message
describing the implementation is attached below, posted "publicly" on
chi.internet.  (skip the quoted stuff)

Karl is about to send out cancel messages, cancelling _every_ Usenet
binary that is not PGP-signed by someone registered with his system.
He says that these cancels will only go out to people he explicitly
peers with, and not Usenet at large.  He then adds that what these
peers do with the cancel msgs is their own business.

Folks, the goal is good, but the implementation is bad.

These cancel msgs will leak out to Usenet at large.  History proves
this; leaking of net.*, bofh.*, clari.*, etc. occurs all the time
despite admins' best efforts.

And when these cancels leak, every news server on Usenet will
* suddenly be receiving _thousands_ of additional cancels, and
* 99.9999% of the binaries out there will disappear from your servers.

I do not want to be handling the support calls when this occurs.

If you are interested in this issue, there is a discussion on, thread "Karl Denninger loses his marbles..."

Or ask me, I'm more than happy to outline the technical ramifications
of this, and why it's a bad idea, in more detail.  I'll cut and paste
from my e-mails to Karl.  :)

      (news admin/consultant)

P.S. Had mailer problems.  Apologies if you are seeing this twice.

From: karl () Denninger Net (Karl Denninger)
Newsgroups: chi.internet
Subject: Re: MegsInet Newsgroup server
Date: 12 Nov 1998 03:59:06 GMT
Organization: Karls Sushi and Packet Smashers
Message-ID: <72dmea$stt$1 () Nntp1 mcs net>
References: <3647E943.3A3 () spambusters ml org> <72dgku$jo6 () enews4 newsguy com>
X-Newsreader: trn 4.0-test69 (20 September 1998)
Xref: chi.internet:17477

In article <72dgku$jo6 () enews4 newsguy com>,
Tommy the Terrorist  <mayday () newsguy com> wrote:
In article <3647E943.3A3 () spambusters ml org> Clifton T. Sharp Jr.,
agent150 () spambusters ml org writes:
There were some problems of late. One notable thing from the statistics
is that we weren't getting our usual hundreds of thousands of articles
from the MCI feed. Since C&W bought MCI's internet stuff, it seems like
anything associated with the former MCI has gone straight to hell. It
looks to me that as of now the problems are fixed; the newsgroups I follow
have suddenly found hundreds of articles apiece.

Who's kidding who?  I presume you guys have heard of a certain asshole in
New York government (what a redundancy!) named Vacco?  Presumably the
problem is the collective flushing of digital toilets now that ISP's have
become the new hunting ground for Evil Substances, etc.

The problem with this particular war is that nothing short of a total
victory for the people, to keep anything and everything on ISP's, can
possibly prevent the state aggressors from eating away at free forums of
communications as fast as they can have their pet narks post child
pornography (with impunity) to anywhere they want the police to
"legitimately" attack and destroy.  And if that happens, then the last
permitted forum of free speech in America, or damn near anywhere else, is
dead, and the only hope of humanity for political progress will be in
violence so unrestrained and universal that the smallest and weakest of
people have an equal power of destruction because it is unlimited for
all.  And that is what inevitably will happen, unless something worse

Read this.  It solves the problem.

And yes, this system WILL be going online.  The software is already working.

The "Clean-News" System 


"Clean-News" is a means to identify the poster of binary data
on Usenet, remove most illegal content, and create a presumption of


The "Clean-News" servers will have a key-ring of PGP keys.  Anyone wanting 
to post "unmolested" binaries does the following:

1.     Creates a PGP key for either 2.6.2 or 5.0 of the PGP software.

2.     Obtains, from the web site, a list of authorized
      signers of their PGP key.

3.     Contacts one of those signers, follows their procedures (which may
      include the payment of a fee), produces appropriate identification
      demanded by that signer, and gets their public key *signed* by that
      organization or individual.  That is, the signer *vouches* for the
      authenticity of the key; that it belongs to the person who claims
      to be represented, that the email address associated with it is
      valid, and creates and maintains appropriate records to back up
      that assertion.

4.     Submits the SIGNED key to the system.

This database (of signed keys) is PUBLIC.  Anyone can query it given an
article which is signed by said key and obtain the name, email address,
AND SIGNER of the key in question.

The person with the private key associated with the signed, public key
is then free to post binaries on Usenet, and clean-news will not molest


The "clean-news" system obtains a feed from major backbone sites.  It
accepts all articles sent to it and maintains no database.  It speaks 
both the older "ihave" protocol as well as the "check/takethis" newer 
NNTP protocol.  

Upon receipt of an article, the software checks to see if the posting
contains binary data.  It looks for common encoding formats - UUENCODE
and MIME image data, primarily.  

Textual messages are ignored.

Binary messages are run through the PGP software, and the output of
the PGP verification process is read back.  This process returns one
of several results:

1.     No signature on the file at all.

2.     A signature is on the file, but the key ID is not known.

3.     A signature is on the file, and the key is known, but it is
      not certified as "trusted".

4.     A signature is on the file, is valid, and the key is both
      known and has a level of trust associated with it.

In cases 1 - 3, the clean-news system emits a cancel message for the article
in question immediately upon receipt.  It does this by following the
convention established for NOCEMs and other "spam cancels"; that is, it
prepends "cancel." to the Message ID, and emits the cancel with this
synthetic message Id.  It also returns the posting with the system
identification "clean-news" in the PATH line to permit aliasing out
of the clean-news feed by those site admins who do not want the cancels.

In case 4, the binary is ignored, as textual messages are.


1.     If you DO NOT want the "Clean-News" cancels, you should alias out
      the site "clean-news" from your Usenet software.  Note that doing
      this will REMOVE any presumption that you would otherwise gain
      by ACCEPTING this feed.

2.     If you DO want the "Clean-News" cancels, then do nothing, and 
      further, contact your upstream News peers and insure that THEY
      are not aliasing out the feed.

3.     If you CANNOT obtain these cancels (because all your upstreams
      are aliasing them out), or if you want the BEST possible feed,
      contact feedme () clean-news org by email.  You will receive in
      response an automated email detailing how to obtain a direct 
      feed of the clean-news cancels.

      Note that this feed is rather low in volume - while it emits 
      MANY cancels, they are small articles.  You MUST BE able to 
      keep up with this feed - the feed software will NOT keep 
      articles for more than a few hours before it "junks" them.
      The feed will come to you via a Diablo feed system and is 
      UNIDIRECTIONAL.  Attempting to connect back to the Diablo
      machine will fail.

4.     If you want to pass these cancels on to your PEERS, be advised
      that some of them may consider this service to be a "bad thing".
      I recommend, but obviously cannot enforce, that such is noticed
      to your peers so they may alias out the feed if they do not 
      want it.


1.     The use of a valid key creates a *presumption*, but not proof, 
      that the poster really is who they said they are.  That is, enough 
      to get a search warrant.  If Kiddie Porn shows up with a signature, 
      the TRUSTED SIGNER of the key is determinable.  That signer must,
      to be considered a trusted signer, keep records suitable for
      interrogation based on a published policy (ie: "serve us with a
      subpoena", etc).

      The LEO in question then asks the signer for the data, and complies
      with the policy they have set (which may include obtaining a warrant
      and/or subpoena).  They then get a search warrant for the alleged
      perpetrator of the transmission, and see if in fact the material
      in question is being emitted there using standard forensic

2.     LEGITIMATE binary posters have nothing to fear.  Anonymous binaries 
      get cancelled instantly, as do any which are unauthenticated.  
      Those which ARE authenticated are free to be posted, but your 
      identity is known, its undeniably yours (since it WAS your private 
      key used to sign the article) and if you post something "naughty" 
      the LEOs have all they need to come after you.


Your primary responsibility is to PROTECT YOUR PRIVATE KEY.  It is
*STRONGLY* recommended that you keep this key on a protected, safe,
removable device (such as a floppy with write-protect enabled) and NOT 
let it out of your personal control.

If your PRIVATE key is COMPROMISED (ie: you lose the disk, you have reason 
to believe someone has stolen a copy of the key file, etc) you should
IMMEDIATELY contact the introducer (the organization or person you had sign
the key) *AND* the clean-news system at "revoke () clean-news org" by email.
When you contact the clean-news system, SIGN YOUR REVOCATION REQUEST.
DO NOT send anything other than a revocation request to the above address.
You should ALSO immediately revoke the key from any other key rings 
that you may have registered this key with.

Note that ANY message signed with your key will be PRESUMED to be issued
by you *PERSONALLY*.  For this reason you should take EXTREME care with
your private key.  If it is stolen and used for illicit purposes those
transactions will be traced to *YOU*, and you could find yourself under
investigation by either civil or criminal authorities for something you 
have not done.


Keys may be revoked by:

1.     The person who owns it at any time (ie; "I lost my key disk").

2.     Any LEO who provides an affidavit that said key was used to
      post copyrighted or otherwise illegal material.  

3.     Any LEO who provides an affidavit that a trusted introducer
      is not in fact trusted (ie: cannot produce the records, or produces
      false records, regarding a key they signed).

4.     A trusted introducer may revoke their signature of any person's key 
      that they have signed, in the event they discover that the key does 
      not in fact belong to the person claimed or identification was

When a key is invalidated the owner of the key is notified by email that 
their key was removed, and why (which of the above categories "happened").

A cancelled or revoked key is removed from the key ring, and is treated
exactly as if it was never submitted to the system.

To revoke a key as the owner of the key, send a PGP-signed request
to "revoke () clean-news org".  IF THE REQUEST IS NOT SIGNED OR THE SIGNATURE
IS INVALID IT WILL BE IGNORED.  Assuming that the signature is good, you 
will be notified by return email when the revocation is processed.


1.     Individuals do not pay to list keys.  However, INTRODUCERS may 
      charge for signing a key (at their discretion) and maintaining 
      the records necessary to comply with identification requests.

2.     Systems desiring a *direct* feed may be assessed a small charge
      to cover the operating expenses of the systems involved.  NO CHARGE
      TRANSPORT.  If you receive a feed of the cancels you are encouraged
      to propagate it to others on mutually-agreeable terms to others
      who are also willing to receive it.


1.     The records of the clean-news system are EXPLICITLY public.  
      Ergo, submitting a public key to the system constitutes 
      publication of that key, and the fact that it is signed by one
      or more organizations and individuals.  HOWEVER, that, alone, is
      worthless to an interloper.  The email address on the key does NOT
      have to be valid, nor does the name - it must only map to a unique
      person at the SIGNER'S location which can be disclosed through
      their policies.  As such, there is no privacy issue on the keyring
      used by the clean-news system ITSELF.

2.     Customers and users who have their keys signed by an introducer
      should make themselves aware of the privacy policies of the signer.

Karl Denninger (karl () denninger net)
I ain't even *authorized* to speak for anyone other than myself, so give
up now on trying to associate my words with any particular organization.

           Plain Aviation, Inc                  dean () av8 com

Current thread: