RISKS-LIST: RISKS-FORUM Digest Friday 1 April 1988 Volume 6 : Issues

RISKS-LIST: RISKS-FORUM Digest Friday 1 April 1988 Volume 6 : Issues
52,54,55,58

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
April Fool's warning from Usenet (Gene Spafford via Cliff Stoll) [RISKS-6.52]
Re: April Fool's Warning from Usenet (Gene Spafford) [RISKS-6.54]
April Forgeries (Charles Daffinger, Rahul Dhesi) [RISKS-6.55]
April Fool's Warning (Piet Beertema) [RISKS-6.55]

----------------------------------------------------------------------

Date: Thu, 31 Mar 88 12:17:48 PST
From: [email protected] (Cliff Stoll)
Subject: April Fool's warning from Usenet

Here's the warning from USENET's news.announce.important:

From: [email protected] (Gene Spafford)
Subject: Warning: April Fools Time again (forged messages on the loose!)
Date: 1 Apr 88 00:00:00 GMT
Organization: Dept. of Computer Sciences, Purdue Univ.

Warning: April 1 is rapidly approaching, and with it comes a USENET
tradition. On April Fools day comes a series of forged, tongue-in-cheek
messages, either from non-existent sites or using the name of a Well Known
USENET person. In general, these messages are harmless and meant as a joke,
and people who respond to these messages without thinking, either by flaming
or otherwise responding, generally end up looking rather silly when the
forgery is exposed.

So, for the next couple of weeks, if you see a message that seems completely
out of line or is otherwise unusual, think twice before posting a followup
or responding to it; it's very likely a forgery.

There are a few ways of checking to see if a message is a forgery. These
aren't foolproof, but since most forgery posters want people to figure it
out, they will allow you to track down the vast majority of forgeries:

o Russian computers. For historic reasons most forged messages have
as part of their Path: a non-existent (we think!) russian
computer, either kremvax or moscvax. Other possibilities are
nsacyber or wobegon. Please note, however, that walldrug is a real
site and isn't a forgery.

o Posted dates. Almost invariably, the date of the posting is forged
to be April 1.

o Funky Message-ID. Subtle hints are often lodged into the
Message-Id, as that field is more or less an unparsed text string
and can contain random information. Common values include pi,
the phone number of the red phone in the white house, and the
name of the forger's parrot.

o subtle mispellings. Look for subtle misspellings of the host names
in the Path: field when a message is forged in the name of a Big
Name USENET person. This is done so that the person being forged
actually gets a chance to see the message and wonder when he
actually posted it.

Forged messages, of course, are not to be condoned. But they happen, and
it's important for people on the net not to over-react. They happen at this
time every year, and the forger generally gets [his/her] kick from watching the
novice users take the posting seriously and try to flame their tails off. If
we can keep a level head and not react to these postings, they'll taper off
rather quickly and we can return to the normal state of affairs: chaos.

Thanks for your support. Gene Spafford

[Especially if the forger is into forging Trojan horseshoes. PGN]

------------------------------

From: [email protected] (Gene Spafford)
Subject: Re: April Fool's Warning from Usenet (RISKS-6.52)
Date: 4 Apr 88 23:34:57 GMT

In Risks 6.52, Cliff Stoll forwarded a posting on the Usenet about forged
articles. He attributed it to me, and unfortunately either Cliff or Peter
trimmed most of the news header lines out. Why was it unfortunate? Because
the article was itself a forgery, and the headers exhibited all of the
indicators the posting warned were in bogus articles!

It was a marvelous joke except for the fact I've gotten about 40 mail
messages so far from people who didn't realize that it was a forgery. Now
it shows up in Risks!

I am 99% certain who did it, and I can't wait for next April 1....

Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: [email protected] uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf

[Mortifications from the Moderator, who tries to keep RISKS Readable
by Hewing Headers. In this case I should have left the entire sequence
in, to add to the evidence described in the message. Very clever. PGN]

------------------------------

Date: Mon, 4 Apr 88 23:17:09 EST
From: Charles Daffinger <[email protected]>
Subject: April Forgeries (Re: RISKS-6.52)

[Most of you have chortled appropriately at the Spafford Spoof. Charles'
message is apparently intended for those of you who need more explicit
references to the self-referential evidence left by the forged forgery
warning. By the way, Charles neglected to remark that RISKS-6.52 was
not put out on 1 April either. PGN]

Here's the article warning about forgeries: Note the strange date, note
that spaf's message is dated *after* the message it was enclosed in, and
a couple of self-references in the posting! Enjoy!

In article <[email protected]> you write:
>RISKS-LIST: RISKS-FORUM Digest Friday 1 April 1988 Volume 6 : Issue 52
>

>Contents:
> April Fool's warning from Usenet (Gene Spafford via Cliff Stoll)
>
>Date: Thu, 31 Mar 88 12:17:48 PST
^^^^^^^^^^^^^^^^^^^^^^^^^^^
>From: [email protected] (Cliff Stoll)
>Subject: April Fool's warning from Usenet
>
>Here's the warning from USENET's news.announce.important:
>
>From: [email protected] (Gene Spafford)
==================================
>Subject: Warning: April Fools Time again (forged messages on the loose!)
>Date: 1 Apr 88 00:00:00 GMT
^^^^^^^^^^^^^^^^^^^^^
>Organization: Dept. of Computer Sciences, Purdue Univ.
>
>Warning: April 1 is rapidly approaching, and with it comes a USENET
>tradition. On April Fools day comes a series of forged, tongue-in-cheek
>messages, either from non-existent sites or using the name of a Well Known
==============================
>USENET person. In general, these messages are harmless and meant as a joke,
=======
[...]
>
> o Posted dates. Almost invariably, the date of the posting is forged
> to be April 1. =================================
=============

------------------------------

Date: Mon, 4 Apr 88 23:25:38 EST
From: [email protected] (Rahul Dhesi)
Subject: April Forgeries (Re: RISKS-6.52)
Organization: CS Dept, Ball St U, Muncie, Indiana

.. Of course, it's possible that it was a double-forgery, i.e., that Gene
Spafford forged it himself. -- Rahul Dhesi
[Sorry. Not THIS TIME. PGN]

------------------------------

Date: Mon, 11 Apr 88 16:28:13 +0200
From: [email protected] (Piet Beertema)
Subject: April Fool's Warning (Re: RISKS-6.55) [The last word was the first!]

>Subject: April Fool's warning from Usenet
>From: [email protected] (Gene Spafford)
> ==================================
>Date: 1 Apr 88 00:00:00 GMT
^^^^^^^^^^^^^^^^^^^^^

[Piet points out that the key line that I inadvertently deleted
-- and already noted so doing -- was the path:]

.. which contained ...!kremvax!perdue!spaf
(kremvax was one of the sites warned for!).

[Piet of course is famous as the perpetrator of the Chernenko hoax four
years ago. That was the Ur-hoax and deserves many kudos. RISKS has
received quite a few queries from neophytes who were not around on 1 April
1984. They may find the message "from" mcvax!moskvax!kremvax!Chernenko and
the delightfully annotated ensuing responses in their entirety -- including
all of the header stuff! -- in ACM SIGSOFT Software Engineering Notes vol 9
no 4, July 1984, pp. 6-8. Or ask Piet if he still has it on line. PGN]

------------------------------

End of RISKS-FORUM Digest 6.APRIL-1
************************