|
Grex > Coop7 > #26: User Verification -- Is It Feasible? | |
|
| Author |
Message |
aaron
|
|
User Verification -- Is It Feasible?
| 
Mar 25 23:47 UTC 1995 |
The talk of verifying users goes well beyond M-Net and Grex. Law
review articles often assert that different legal standards should
apply to systems that verify their users, as opposed to systems that
do not, with the latter being subjected to greater legal risk. But
is verification feasible in the modern world?
Unless you require subscribers to personally appear with photo ID in hand
and verify that the photo ID is correct and belongs to the subscriber, can
any verification system be effective? A cheap scanner and readily
available software enable any computer user to create a convincing
"photocopy" of a driver's license that contains absolutely no correct
information.
The big systems, such as Prodigy and AOL, frequently send out free
trial offers. Is it not possible to get a "verified" account on one
of these systems using a "free trial offer" package sent to somebody
else?
And, of course, there is the problem that, even if all accounts are
verified, security may be breached by employees of the service or by the
actions of the subscriber. (Prodigy is being sued for libel over
statements posted from a cancelled account, quite possibly by a Prodigy
employee.) This last point, though, should be addressed separately from
whether user verification is possible -- it implicates the somewhat
different question of when user verification is sufficient to justify a
heightened legal protection for the service.
|
| 147 responses total. |
steve
|
|
response 1 of 147:
|
Mar 26 02:12 UTC 1995 |
It's always possible to get around validation, and it does become an
endless loop, getting ever deeper into insuring someone is who they say
they are. I think the concept of validation is going to stay however,
as electronic communications becomes critical to most forms of business
activity. It still isn't reasonable.
|
davel
|
|
response 2 of 147:
|
Mar 26 02:59 UTC 1995 |
Of course absolute verification is impossible. But that doesn't mean there's
no difference between taking reasonable precautions & taking none.
|
aaron
|
|
response 3 of 147:
|
Mar 26 06:36 UTC 1995 |
What is "reasonable"? Is it reasonable to give out the free introductory
memberships, in the fasion of Prodigy or AOL, which allow for the creation
of an anonymous account that will likely be traced to somebody else (the
named recipient of the package)? What form of verification should be
adequate? What form of verification will protect against even low-tech
efforts, such as altering the information on one photocopy and sending
the service a second generation photocopy containing the changed information?
|
selena
|
|
response 4 of 147:
|
Mar 26 07:00 UTC 1995 |
And, why does this board NEED it, for non-voters? You guys
already said that state laws says you gotta keep a list of voters..
but beyond that, as metronet and nether.net show, it's not needed
for telnet, or ftp, or www, or any of that.
|
steve
|
|
response 5 of 147:
|
Mar 26 08:02 UTC 1995 |
In the case of Grex, we want to be able to get back to a person
if they post something really "bad", when we get usenet back up.
Authentication for mettronet is only a matter of time. Nether.net
is an unusual case, and Jared is being incredibly trustful in his
access policies. I hope he can continue that, but, judging from
some of the people who've come on to Grex and tried various things,
I have to wonder. There really are a small but unforunately signifcant
number of people who try all sorts of nasty shit on systems, seemingly
because 'they' just like to do it.
|
aaron
|
|
response 6 of 147:
|
Mar 26 08:11 UTC 1995 |
There's another item to discuss need. This one is about feasibility.
|
lilmo
|
|
response 7 of 147:
|
Mar 26 19:51 UTC 1995 |
Re #3: the "trial offer memberships" are not really tied to the name it was
sent to (at least for AOL). I found a "trial membership" for someone that they
left in the post office trash, and used it, and it didn't assume *I* was that
person, it asked for ALL my information. In other words, I assume I would have
gone through the same verification procedures as anyone else getting an
account, had I actually gone through with applying. You could fake information
when applying for ANY account, "trial membership" or not. But they ask for a
credit card number, which they prsumably check, so they can (again, presumably)
charge you if you cost them money.
|
eeyore
|
|
response 8 of 147:
|
Mar 27 03:58 UTC 1995 |
what sort of verification does the system need, anyway? i was never asked
for i.d., but i assumed that was becausei've met quite a few of the staffers,
ans handed my money to danr in person. does this mean that i'm verified
(when i've actually paid my money), or should i have also given a copy of
some sort of i.d? and if the latter is true, then why was i never inforemedmed
of that before i started reading all of this stuff here on co-op?
|
tsty
|
|
response 9 of 147:
|
Mar 27 05:53 UTC 1995 |
The kind of verification that is currently but a gleam in somebody's
glazed eyeball would be a measure of such draconian proportions that
we who are already here simply would +not+ stand for it. Don't
consider it anarchy, it;s not; it should/would be a staunch resistance
against tyranizing the free flow of information.
IFF there is a "problem" (who pre-judges), the selected miscreant
may or may not be located. Depending on the severity of the "problem,"
the resources to locate/identify +might+ get called into play - but it
must be (imo) based on an "after the fact" event, not a prior
and blanket presumption in anticipation.
Feasibility is extremely, extremely low except under totalitarianism.
Since the US is trying to export the politics of life, liberty and
the pursuit of happiness through democracy and free speech (to say
nothing of the enforced, formal public education through grade 12),
the US has to stay the course to set the example in cyberspace for
other countries' residents to follow. How else can we presume to
contaminate the dictatorships still extant on Earth? How else can
we foment rebellions and uprisings against cruel and unusual governments?
How much wiser this course is than a return to a Cold War and the
concommitant Arms Race? Where else do "We the People" get to speak
unfettered and fearlessly? We should/could continue to use the
public's censure not the gummint's censor against those deemed
so unsocialized as to "screw up." Feasible verification? HA!
|
lilmo
|
|
response 10 of 147:
|
Mar 27 06:13 UTC 1995 |
Very stirring, tsty... Tell me, do you lock your doors at night?
|
lilmo
|
|
response 11 of 147:
|
Mar 27 06:14 UTC 1995 |
And I meant both parts of that last post, wholeheartedly.
|
mdw
|
|
response 12 of 147:
|
Mar 27 08:36 UTC 1995 |
(In item 13 response 43, I've entered a response to what Selena asked in
response 4 here.)
|
selena
|
|
response 13 of 147:
|
Mar 28 05:38 UTC 1995 |
Yeah, well, steve is wrong in what HE posted here- Metronet has been
getting steadily FREER with what it lets you do! I know, I've talked to
Gerald Fury, the guy who runs the show! His intentions are to provide
everyone with free, open access to ANYONE, and with a public, anonymous
account! Saying it's a matter of time is just trying to make one's self
sound reasonable for not wanting to allow the same!
|
srw
|
|
response 14 of 147:
|
Mar 28 06:18 UTC 1995 |
More power to him. I hope he is not inundated with both traffic and
bad guys. Our experience here says he will be.
|
scg
|
|
response 15 of 147:
|
Mar 28 14:04 UTC 1995 |
It's obvious from lots of things that he doesn't know much about system
administration, and I'd hate to see Grex follow Metronet's example too
closely. See my response in the other item.
|
pegasus
|
|
response 16 of 147:
|
Mar 28 17:29 UTC 1995 |
Where is metronet located? In A2?
Pattie
|
ajax
|
|
response 17 of 147:
|
Mar 29 21:39 UTC 1995 |
It seems plausible to me as Internet access becomes more affordable,
open systems like metronet may become more common. If so, then the
problem of hackers congregating on such systems will lessen, as they can
distribute themselves among many non-verifying systems.
I don't like the idea of every system requiring verification to get on
the Internet. Systems that are vulnerable to telnetting hackers ought
to keep improving their own security, rather than relying on other systems
to provide security guards at every "on-ramp." Threats that
meta-providers will cut access to Internet providers for such policies are
scary...they give a lot of power to the top-level Internet backbone
providers (like AOL), as they can threaten to cut off access to large
groups of Internet users if we don't follow their policies.
On the other hand, Usenet posting is a bit different than telnetting.
The way it's set up, Usenet recipients are somewhat at the mercy of what
other systems allow to be posted (e.g. spammers). It's not like telnet
where you can erect firewalls and take other security precautions. So I
think Grex's current verification policy is reasonable in this regard.
|
tsty
|
|
response 18 of 147:
|
Mar 30 01:51 UTC 1995 |
regarding lilmo's #10 - yes, I lock my doors and, even though you
didn't ask, I also installed and use the locks on the refrigerator.
I think i know into what direction you are headed, and my answer, in
advance of the question, is: if you don't wnat it available, don't
make it available, food, programs, spart tires, TV, etc.
locks only stop honest people and the better the lock, the more
honest the person who needs the mechanical help to assist the
socialization policy of "if it ain't yours, and you ain't got
permission, paws off."
|
nephi
|
|
response 19 of 147:
|
Mar 30 07:26 UTC 1995 |
(Could you please restate your last paragraph, TS? It lost me
somewhere.)
|
steve
|
|
response 20 of 147:
|
Mar 31 20:51 UTC 1995 |
If Metronet can stay open, thats fine. There would be nothing
better. What I was saying (not very well, it seems) is that with Merit
shutting down all access to the unauthticated masses, probably in
September, systems like Metronet and Grex and ?, are going to be
affected. Negatively. We're ramoing up on our dialns now, partly
because of this. By next week we'll have 11 lines here, up from 6
in Janurary. But a lot of other systems aren't going to be as lucky I
fear, and those systems are going to lose people.
|
popcorn
|
|
response 21 of 147:
|
Apr 1 05:58 UTC 1995 |
"ramoing"? <valerie pictures a ram, mooing>
|
mdw
|
|
response 22 of 147:
|
Apr 1 10:33 UTC 1995 |
In the business world, I'd say that the police & other legal entities
have become fond of using credit cards & other negotiable instruments to
trace people. There's a saying that often proves too true here: "follow
the money. When you know where the money went, you will know who did
it."
On Grex, and other open access systems, this is not possible. It's also
not necessary; many of the commercial crimes, such as fraud, theft, and
so forth, just aren't possible. There are really only a few crimes
left: vandalism, libel, and harrassment. Of these, libel is in practice
pretty rare. Vandalism is the most common reason systems implement
verification; by denying access to users caught in the act, systems hope
to avoid doing the work to make the system secure: usually that results
in an escallating feedback loop of tensions. Harrassment is kind of a
double edged sword. On the one hand, systems sometimes are able to use
user verification as a means to track down problem users, and to modify
their behavior. On the other hand, not all systems are themselves
reliable, so many users are reluctant to trust identification
information to strangers who may not be worthy of that trust.
|
ajax
|
|
response 23 of 147:
|
Apr 1 14:56 UTC 1995 |
Good summary...I think the most wide-spread e-crime of all right now is
copyright infringement, both in terms of crimes committed, and of crimes
prosecuted. It's getting to be like nailing mobsters on tax fraud charges:
when a gov't person or group are intent on shutting down an on-line system
or individual, they can often find *something* that violates a copyright.
It makes a good front to hide the real motivations of the "law-enforcers;"
the Church of Scientology recently hired police to erase a critic's computer
files and backups, under the guise of copyright infringement. I think that
was also the charge the SS used against Steve Jackson Games, when they
erased their not-yet-published books, e-mail and other files...they claimed
a user had uploaded copyrighted source code to their BBS.
|
gregc
|
|
response 24 of 147:
|
Apr 1 18:56 UTC 1995 |
Just to set the record straight re: Steve Jackson Games.
The raid on SJG was only one part of operation sundevil. Jackson's book
was not erased, but the FBI held his computer for so long as "evidence"
that they had to reconstruct the book from memory in order to
get it published in a timely manner.
Someone had cracked into a Southwestern Bell computer and stolen a
document related to the 911 system. The thief took the document as a
"trophy" to prove to other crackers that he got into the computer. A lot
of wild claims were made that got blown up by the media about how
this document contained "secret information" about the inner workings of the
911 system that would enable hackers to bring the 911 system down and
cause untold human suffering for everyone who would be unable to call 911
for help, etc, etc, ad nauseum.
The reality of the situation was that the document contained no technical
iinformation and was a big mass of managerial mumbo-jumbo dealing with
internal managerial organization of the personal involved with the 911
system. It was about as exciting as a page out of the employee's handbook.
Also, in the time honored spirit of the right hand not knowing what the
left hand was doing, it later came out at the trial that *anyone* could
obtain this document by calling a specific Southern Bell number and
requesting document #XXXXXXXXX.
The document got distributed through abunch of cracker related BBS's.
One of those BBS's was run, at home, by an employee of SJG. He was also
the person responsible for running the BBS *at* SJG. So FBI assummed
that SJG was also a guilty party and took their computers too.
I'm not defending the FBI here, what they did was moronic.They acted out of
fear. From what I've been able to find, most, if not all, of the FBI
involved in this action had more knowledge about how their electric stapler
worked as a computer. Computers were unknown, mysterious, and therefore
should be feared. As the old saying goes "Don't attribute to malice, what
can be more easily explained by stupidity", the FBI just cast one great
big stupid blanket.
I've heard all the conspiracy theories about how SJG's book contained
all this top-secret info and the government didn't want us to see it,
but those tales don;t match any of the evidence I've seen or any of the
accounts I've read. SJG's book didn't contain anything that couldn't
be found other places. They simply got caught up in colateral damage
from the FBI's steamroller.
|