Gobledegook Headers

Technical support and discussion of Newsbin Version 6 series.

Gobledegook Headers

Postby mimauk » Mon Nov 26, 2012 10:54 am

Hi Guys

Some headers are appearing as gobledegook in some groups even though they are identified as rar, jpg, sample files etc at the end of the header.

A poster in one of the groups queried this and got a reply that ROT13 had to be applied to the header to read it - he gave an example about pressing ctrl+3 and applying ROT13 when using Agent.

Can something similar be done with Newsbin ?
mimauk
Seasoned User
Seasoned User
 
Posts: 328
Joined: Sun Aug 20, 2006 12:35 pm

Registered Newsbin User since: 03/29/06

Re: Gobledegook Headers

Postby Quade » Mon Nov 26, 2012 11:32 am

In the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding. The algorithm provides no cryptographic security, and is often cited as a canonical example of weak encryption.


Could ask this moron not to do this?

There's no benefit to it. I'm not against adding it to Newsbin but, there's no obvious way to detect this automatically. I hate the idea of having to decode this stuff manually.

What group are you seeing this in?
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 44990
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: Gobledegook Headers

Postby mimauk » Mon Nov 26, 2012 12:16 pm

Hi Quade

This particular query post is in a.b.multimedia - ''isthereastandardencryptionkeyorarewesupposedtoguesswhatthisis''

But I've noticed the actual posts are in several groups and every post has a different 'named' poster even though they all look to come from the same poster as the post consists of a rar file, sample files, thumbnail jpg file - everything in front of the file extension is nonsense. The files aren't encrypted and some of them are just copies and reposts of files posted in clear English by others.
mimauk
Seasoned User
Seasoned User
 
Posts: 328
Joined: Sun Aug 20, 2006 12:35 pm

Registered Newsbin User since: 03/29/06

Re: Gobledegook Headers

Postby Plankton » Mon Nov 26, 2012 11:43 pm

This could be complete FUD as i'm only relaying how it was explained to me but someone said it was being done to test ways to stop files being listed in YENC indexers to avoid DMCA search bots.

If this is the case you might see it more often and the groups may convert to this method but either way they are testing alternatives to avoid removal.
Plankton
Active Participant
Active Participant
 
Posts: 59
Joined: Mon Jan 16, 2012 9:07 pm

Re: Gobledegook Headers

Postby Quade » Tue Nov 27, 2012 12:05 am

Apparently it's ROT13 which means with a couple lines of code it's as transparent as normal text. That means Newsbin and the indexers will soon be decoding the encoded data and displaying it properly. I've already started work on it here.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 44990
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: Gobledegook Headers

Postby mankind99uk » Mon Dec 03, 2012 9:11 pm

I'm seeing more posts of the type 5759b30bd7b1f346127d4cb87d100071[01/13] - "150b6231d4d3cd4ca366dd6b9c524cd09b5d362e3e4158af9f2c509b6a075bac.0"
and of the type 4NTN3luRnKnbnQ0l3wwNl4[01/10] - "MVAsuvPKjogTvLSnL9Vq.par2" in a lot of groups.

Are these the type of headers that have been mentioned in this thread and will Newsbin be able to decipher them soon?
User avatar
mankind99uk
Active Participant
Active Participant
 
Posts: 63
Joined: Fri Jun 18, 2004 1:03 pm

Registered Newsbin User since: 06/18/04

Re: Gobledegook Headers

Postby Quade » Mon Dec 03, 2012 9:41 pm

I got Rot13 in there and at least the ones I looked at weren't ROT13

This text doesn't look like rot13 either. I don't mind supporting it. Have to figure out what it is first.

If one of you could get the poster to explain how it works, I wouldn't mind supporting it. They probably don't want us to know what it is though.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 44990
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: Gobledegook Headers

Postby tl » Tue Dec 04, 2012 9:42 am

mankind99uk wrote:I'm seeing more posts of the type 5759b30bd7b1f346127d4cb87d100071[01/13] - "150b6231d4d3cd4ca366dd6b9c524cd09b5d362e3e4158af9f2c509b6a075bac.0"
and of the type 4NTN3luRnKnbnQ0l3wwNl4[01/10] - "MVAsuvPKjogTvLSnL9Vq.par2" in a lot of groups.

Are these the type of headers that have been mentioned in this thread and will Newsbin be able to decipher them soon?

The first looks like some kind of hex encoded hashes and the content gives no more clues with strange names and extensions. I bet there's some kind service where you look these up, probably loaded with ads and possibly viruses. They look like they're probably secure hashes, if so it's impossible to find out what they are without the (probably secret) index.

The second looks different enough that it's probably done by something else, the internal content is a bunch of mp3 files (in this specific case a single). Again I suspect it's some kind of private lookup or NZB service, with the title probably not possible to recover without that.

In short, the first may well be impossible to reverse, the second "merely" need you to download the content before choosing whether to download it which isn't particularly useful. :twisted:

Both seems to use Newsmangler to post, but it looks like they run different things before that to scramble things before they post it via Newsmangler.
User avatar
tl
Seasoned User
Seasoned User
 
Posts: 114
Joined: Tue Jul 15, 2003 1:55 pm

Registered Newsbin User since: 04/01/03

Re: Gobledegook Headers

Postby Quade » Tue Dec 04, 2012 10:30 am

I agree with your assessment. I was thinking instead of a hash, it's an encrypted string turned into hex but, it works out to the same thing. No way to pull the data back out. It could be that it's not reversible at all and the only way to download it and know what's there is the NZB. The NZB could have real subjects in it, even though the postings to the group have this scrambled mess.

I'm looking into adding a "what's this?" function so, Newsbin can sample the first chunk of the of the first rar file and tell you what filenames it finds. I don't really see another solution. Maybe store this information in the storage.db3 so, you only have to do it once to see what's in there. This feature probably won't be in 6.41 though. I'm trying to finish it and get it out the door.

People have been asking for a "double-click to view" feature for images and nfo files. Maybe include "what's this" in that so, you double-click and it pops up information about the contents of the RAR.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 44990
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: Gobledegook Headers

Postby mimauk » Tue Dec 04, 2012 11:12 am

From what I can see there are two distinct types of files -

the ones ending with a dot and number eg xyz.1 and xyz.2 etc. look to be encrypted and require a key of some sort.

the other type posts end in the normal descriptive extension eg .jpg ,.sfv ,.rar and appear to be ROT13.

I use Easynews as one of my providers and I noticed when I was using my web browser(Firefox) to do a search on the website, not FTP, for a particular mp3 song it came up with a list which included some of the second type of posts and it had a translation of the post in brackets and in clear English after the gobbledegook.

As regards to the first type of posts - I'm wondering if the perpetrators have a read an old Desmond Bagley novel - Running Blind - where a mediocre spy was on the run with a mysterious gizmo which everyone was after. His Bosses had set him up so that it would be captured and the opposition would throw all their resources at it to see what it would do. It didn't do anything they just wanted them to waste their time. :D :D :D

hth.
mimauk
Seasoned User
Seasoned User
 
Posts: 328
Joined: Sun Aug 20, 2006 12:35 pm

Registered Newsbin User since: 03/29/06

Re: Gobledegook Headers

Postby Quade » Tue Dec 04, 2012 12:34 pm

4NTN3luRnKnbnQ0l3wwNl4[01/10] - "MVAsuvPKjogTvLSnL9Vq.par2"


Isn't ROT13 even though it looks like it. I ran it through my converter, then ran some real ROT13 through it and the real stuff translated but, this didn't.

"Ubj pna lbh gryy na rkgebireg sebz na vagebireg ng AFN? Va gur ryringbef, gur rkgebireg ybbxf ng gur BGURE thl'f fubrf.";

Real ROT13 from Wikipedia.
User avatar
Quade
Eternal n00b
Eternal n00b
 
Posts: 44990
Joined: Sat May 19, 2001 12:41 am
Location: Virginia, US

Registered Newsbin User since: 10/24/97

Re: Gobledegook Headers

Postby mimauk » Tue Dec 04, 2012 1:09 pm

Quade wrote:
4NTN3luRnKnbnQ0l3wwNl4[01/10] - "MVAsuvPKjogTvLSnL9Vq.par2"


Isn't ROT13 even though it looks like it. I ran it through my converter, then ran some real ROT13 through it and the real stuff translated but, this didn't.

"Ubj pna lbh gryy na rkgebireg sebz na vagebireg ng AFN? Va gur ryringbef, gur rkgebireg ybbxf ng gur BGURE thl'f fubrf.";

Real ROT13 from Wikipedia.


Thats another type then I hadn't noticed - I was looking at the ones in a.b.cbts,

Maybe different groups have different types of posters all vying for the most gobbledegook.
mimauk
Seasoned User
Seasoned User
 
Posts: 328
Joined: Sun Aug 20, 2006 12:35 pm

Registered Newsbin User since: 03/29/06

Re: Gobledegook Headers

Postby spotter » Wed Dec 05, 2012 3:16 am

any sort of gobledegook that can be automatically decoded with some relative ease wont do much in terms of preventing DMCA takedowns.

The way I imagine the arms race going (at least if usenet is going to remain "practical") is to basically treat usenet like a torrent cloud. i.e. design some sort of nzb scheme that can constantly have headers added to it and those will be parts you can fill in. So even if some/all parts get removed, all it takes is someone else to be able to upload the same exact parts and you to be automatically informed about them to be able to download them.

the counter would be that the servers would probably be forced to basically auto remove any parts that show up in specific seed files that are provided to them. (I really bet that the DMCA requests we see today are leveraging nzb files, if not those provided by various sources than simply creating them and providing them to the providers as instructions on what to remove).

a possible counter to this would be having the seed files also contain lots of junk data (i.e. imagine it contains 2 references for each part, 1 is valid, 1 isn't), but this is going to impose a bandwidth cost to figure out what's appropriate data and what isn't. The only advantage I can see is if it prevents a more automated means of DMCA removal if it be illegal for them to DMCA takedown request stuff they know has a high probability of not infringing their copyright (though I have my doubts how this would legally be viewed). But of course this has the big cost of adding to the download cost. Even if they can't just simply provide the nzb file, they could download the parts and continuously monitor the seed for added valid parts, this would put an added cost on them, but that's simply what this arms race is. How much do they value taking this stuff down, and can you increase their cost to do it beyond that point so that they don't bother, but you'll probably increase end user cost as well.

which basically ends up meaning that usenet will mostly go underground, junk data being posted in a stenographic manner (ala the gobledegood we see) with nzb files that are not shared widely being a requirement in order to download anything.

or perhaps someone smarter than me will come up with a better solution.
spotter
Seasoned User
Seasoned User
 
Posts: 172
Joined: Tue Feb 12, 2002 12:00 pm

Registered Newsbin User since: 05/05/06


Return to V6 Technical Support

Who is online

Users browsing this forum: No registered users and 3 guests