RISKS-LIST: RISKS-FORUM Digest Friday 1 April 1988 Volume 6 : Issues 52,54,55,58

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents: April Fool's warning from Usenet (Gene Spafford via Cliff Stoll) [RISKS-6.52] Re: April Fool's Warning from Usenet (Gene Spafford) [RISKS-6.54] April Forgeries (Charles Daffinger, Rahul Dhesi) [RISKS-6.55] April Fool's Warning (Piet Beertema) [RISKS-6.55]

----------------------------------------------------------------------

Date: Thu, 31 Mar 88 12:17:48 PST From: cliff@Csa5.LBL.Gov (Cliff Stoll) Subject: April Fool's warning from Usenet

Here's the warning from USENET's news.announce.important:

From: spaf@cs.purdue.EDU (Gene Spafford) Subject: Warning: April Fools Time again (forged messages on the loose!) Date: 1 Apr 88 00:00:00 GMT Organization: Dept. of Computer Sciences, Purdue Univ.

Warning: April 1 is rapidly approaching, and with it comes a USENET tradition. On April Fools day comes a series of forged, tongue-in-cheek messages, either from non-existent sites or using the name of a Well Known USENET person. In general, these messages are harmless and meant as a joke, and people who respond to these messages without thinking, either by flaming or otherwise responding, generally end up looking rather silly when the forgery is exposed.

So, for the next couple of weeks, if you see a message that seems completely out of line or is otherwise unusual, think twice before posting a followup or responding to it; it's very likely a forgery.

There are a few ways of checking to see if a message is a forgery. These aren't foolproof, but since most forgery posters want people to figure it out, they will allow you to track down the vast majority of forgeries:

o Russian computers. For historic reasons most forged messages have as part of their Path: a non-existent (we think!) russian computer, either kremvax or moscvax. Other possibilities are nsacyber or wobegon. Please note, however, that walldrug is a real site and isn't a forgery.

o Posted dates. Almost invariably, the date of the posting is forged to be April 1.

o Funky Message-ID. Subtle hints are often lodged into the Message-Id, as that field is more or less an unparsed text string and can contain random information. Common values include pi, the phone number of the red phone in the white house, and the name of the forger's parrot.

o subtle mispellings. Look for subtle misspellings of the host names in the Path: field when a message is forged in the name of a Big Name USENET person. This is done so that the person being forged actually gets a chance to see the message and wonder when he actually posted it.

Forged messages, of course, are not to be condoned. But they happen, and it's important for people on the net not to over-react. They happen at this time every year, and the forger generally gets [his/her] kick from watching the novice users take the posting seriously and try to flame their tails off. If we can keep a level head and not react to these postings, they'll taper off rather quickly and we can return to the normal state of affairs: chaos.

Thanks for your support. Gene Spafford

[Especially if the forger is into forging Trojan horseshoes. PGN]

------------------------------

From: spaf@purdue.edu (Gene Spafford) Subject: Re: April Fool's Warning from Usenet (RISKS-6.52) Date: 4 Apr 88 23:34:57 GMT

In Risks 6.52, Cliff Stoll forwarded a posting on the Usenet about forged articles. He attributed it to me, and unfortunately either Cliff or Peter trimmed most of the news header lines out. Why was it unfortunate? Because the article was itself a forgery, and the headers exhibited all of the indicators the posting warned were in bogus articles!

It was a marvelous joke except for the fact I've gotten about 40 mail messages so far from people who didn't realize that it was a forgery. Now it shows up in Risks!

I am 99% certain who did it, and I can't wait for next April 1....

Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf

[Mortifications from the Moderator, who tries to keep RISKS Readable by Hewing Headers. In this case I should have left the entire sequence in, to add to the evidence described in the message. Very clever. PGN]

------------------------------

Date: Mon, 4 Apr 88 23:17:09 EST From: Charles Daffinger <cdaf@iuvax.cs.indiana.edu> Subject: April Forgeries (Re: RISKS-6.52)

[Most of you have chortled appropriately at the Spafford Spoof. Charles' message is apparently intended for those of you who need more explicit references to the self-referential evidence left by the forged forgery warning. By the way, Charles neglected to remark that RISKS-6.52 was not put out on 1 April either. PGN]

Here's the article warning about forgeries: Note the strange date, note that spaf's message is dated *after* the message it was enclosed in, and a couple of self-references in the posting! Enjoy!

In article <12386860573.13.NEUMANN@KL.SRI.COM> you write: >RISKS-LIST: RISKS-FORUM Digest Friday 1 April 1988 Volume 6 : Issue 52 >

>Contents: > April Fool's warning from Usenet (Gene Spafford via Cliff Stoll) > >Date: Thu, 31 Mar 88 12:17:48 PST ^^^^^^^^^^^^^^^^^^^^^^^^^^^ >From: cliff@Csa5.LBL.Gov (Cliff Stoll) >Subject: April Fool's warning from Usenet > >Here's the warning from USENET's news.announce.important: > >From: spaf@cs.purdue.EDU (Gene Spafford) ================================== >Subject: Warning: April Fools Time again (forged messages on the loose!) >Date: 1 Apr 88 00:00:00 GMT ^^^^^^^^^^^^^^^^^^^^^ >Organization: Dept. of Computer Sciences, Purdue Univ. > >Warning: April 1 is rapidly approaching, and with it comes a USENET >tradition. On April Fools day comes a series of forged, tongue-in-cheek >messages, either from non-existent sites or using the name of a Well Known ============================== >USENET person. In general, these messages are harmless and meant as a joke, ======= [...] > > o Posted dates. Almost invariably, the date of the posting is forged > to be April 1. ================================= =============

------------------------------

Date: Mon, 4 Apr 88 23:25:38 EST From: iuvax!bsu-cs!dhesi@rutgers.edu (Rahul Dhesi) Subject: April Forgeries (Re: RISKS-6.52) Organization: CS Dept, Ball St U, Muncie, Indiana

... Of course, it's possible that it was a double-forgery, i.e., that Gene Spafford forged it himself. -- Rahul Dhesi [Sorry. Not THIS TIME. PGN]

------------------------------

Date: Mon, 11 Apr 88 16:28:13 +0200 From: mcvax!cwi.nl!piet@uunet.UU.NET (Piet Beertema) Subject: April Fool's Warning (Re: RISKS-6.55) [The last word was the first!]

>Subject: April Fool's warning from Usenet >From: spaf@cs.purdue.EDU (Gene Spafford) > ================================== >Date: 1 Apr 88 00:00:00 GMT ^^^^^^^^^^^^^^^^^^^^^

[Piet points out that the key line that I inadvertently deleted -- and already noted so doing -- was the path:]

... which contained ...!kremvax!perdue!spaf (kremvax was one of the sites warned for!).

[Piet of course is famous as the perpetrator of the Chernenko hoax four years ago. That was the Ur-hoax and deserves many kudos. RISKS has received quite a few queries from neophytes who were not around on 1 April 1984. They may find the message "from" mcvax!moskvax!kremvax!Chernenko and the delightfully annotated ensuing responses in their entirety -- including all of the header stuff! -- in ACM SIGSOFT Software Engineering Notes vol 9 no 4, July 1984, pp. 6-8. Or ask Piet if he still has it on line. PGN]

------------------------------

End of RISKS-FORUM Digest 6.APRIL-1 ************************