ElectricType:GeekTalk

Is Your Sysadmin Watching You?
by Matt Stevens 7 Feb 1997

Page 1

Q: Can people monitor what is being browsed in newsgroups? Is there any risk involved in reading or looking at the sensitive subjects sometimes contained in different alt.newsgroups? Can anyone see what you subscribe to or see?
- Extremely Curious

A: It is possible for someone to monitor what newsgroups you read, but not just anyone can do it. In fact, systems administrators are usually the only people who have the ability to access this information.
The easiest way they can do it is by checking the log files produced by their news-server software. In order to illustrate how these logs work, I'll use INN, a popular Unix-based server, as an example. However, it's important to keep in mind that log files usually aren't available for public scrutiny. Only someone with root access (the Unix superuser, who can see and do anything) can monitor these files.
A log file looks something like this:

Jan 27 10:55:07 4H:nn nnrpd[5565]: crazy.hotwired.com connect Jan 27 11:14:58 4H:nn nnrpd[5565]: crazy.hotwired.com group alt.autos.camaro.firebird 28 Jan 27 11:31:59 4H:nn nnrpd[5565]: crazy.hotwired.com group alt.guitar.amps 6 Jan 27 11:31:59 4H:nn nnrpd[5565]: crazy.hotwired.com exit articles 34 groups 3 Jan 27 11:31:59 4H:nn nnrpd[5565]: crazy.hotwired.com times user 0.517 system 0.301 elapsed 2212.411

From this snippet, we can see that someone using the computer named crazy.hotwired.com connected to the news server, read 28 messages in the newsgroup alt.autos.camaro.firebird, six messages in alt.guitar.amps, and then disconnected after looking at a total of three newsgroups (although they only read messages in two).
Here's an example of a log file where someone posted a message:

Jan 27 10:39:10 4H:nn nnrpd[5441]: chichi.hotwired.com connect Jan 27 11:50:05 4H:nn nnrpd[5441]: chichi.hotwired.com post ok <johndoe-3812082150350001@chichi.hotwired.com> Jan 27 11:50:05 4H:nn nnrpd[5441]: chichi.hotwired.com group alt.animals.badgers 2 Jan 27 11:50:05 4H:nn nnrpd[5441]: chichi.hotwired.com exit articles 2 groups 1 Jan 27 11:50:05 4H:nn nnrpd[5441]: chichi.hotwired.com posts received 1 rejected 0 Jan 27 11:50:05 4H:nn nnrpd[5441]: chichi.hotwired.com times user 0.280 system 0.138 elapsed 4254.531

In this example, someone connecting from chichi.hotwired.com. posted a message to alt.animals.badgers. The message ID can be used to view the message within a Web browser - just type it in as a news URL. (In this case, you'd use news:johndoe-3812082150350001@chichi.hotwired.com, but since I made up this message ID, it won't work.) Also, notice that the first part of the message ID is what appears to be a username. This could be used to tell who posted the message, but since users can usually enter anything they want, it's not that reliable.
You should also notice in both these examples that the DNS name of the connecting computer (crazy.hotwired.com or chichi.hotwired.com) is the only piece of information that could be used to obtain the user's identity. If you normally connect to the Internet through a dialup account, it's likely that the IP address of your computer (and its associated DNS name) will change depending on which modem you happen to connect to at your ISP. This makes it a lot harder to figure out who's doing what. It's still possible, but you'd have to compare access dialup server logs with the news-server logs.
If you're reading news in an office or school environment, it's more likely that each computer will have an assigned name that doesn't change. If a computer is used by multiple people, your identity is more likely to remain anonymous. Since most computers these days are used by one person, though, it's usually pretty easy to match up a computer name with a user's name.
Systems administrators can also configure news servers to require a username and password from people who wish to read messages. If your news server requires this, your identity and reading habits are painfully clear.
It's important to remember, though, that although systems administrators can monitor users, they rarely do so, because they don't want to bother with the extra work. Remember, there's some anonymity in numbers as well. The more people accessing a news server, the more work it is to keep track of who's doing what. If there are only a few dozen people accessing a server, individuals are a lot easier to monitor.