|
Grex > Coop12 > #127: Grex, once again, has pissed me off | |
|
| Author |
Message |
| 25 new of 184 responses total. |
polytarp
|
|
response 134 of 184:
| 
Sep 9 21:03 UTC 2002 |
jp2; how would you build a URANIAUM BLOW I
H
I
R
O
S
H
I
M
A
boom?
|
cross
|
|
response 135 of 184:
|
Sep 9 21:58 UTC 2002 |
Regarding #75; Well, how come ID is only required for outbound network
access, then? *All* users around here get access to compilers, etc.
And the public access kiosks at Columbia allow one to run Java in a
browser; practically the same thing as giving shell/compiler access.
|
cross
|
|
response 136 of 184:
|
Sep 9 22:24 UTC 2002 |
Regarding #131; Yes, Mark does an excellent job, and his performance
should be commended. This discussion isn't a criticism of him or his
hard work; it's about grex policy. ``Play the puck, not the man,'' as
my friend used to say about hockey.
|
other
|
|
response 137 of 184:
|
Sep 9 22:27 UTC 2002 |
You're telling me that public kiosks on the campus of Columbia allow
anonymous public access and allow saving of files onto them? Do they
have cd/disk drives or e-net ports so walk-up users can download data
they grab from the web, or upload their keystroke loggers?
And as for our compiler access, we do a pretty good job of securing our
own machine, but since we can't rely on the rest of the world to do the
same, the founders felt that we had the responsibility to implement some
basic measures to reduce the likelihood of Grex being used as a base for
launching attacks on the Internet. Therefore, we're not too worried
about what you might do with programs you've compiled on our own machine,
because staff watches, and robocop watches, and our software is developed
and configured to minimize the possibility of serious mischief, so we
don't feel the need to ask for ID for compiler access, but if you go
thrashing about on the Internet from our machine, I think it entirely
reasonable that we should know just who you are. Even if you only go
gently tiptoeing about the Internet from our machine, I still think it
entirely reasonable that we should know just who you are, because we
don't know in advance what kind of use you'll make of our machine, and
it's a hell of a lot more practical to prevent a mess than to clean up
after it.
The simple fact is we're playing a numbers game. The vast majority of
users don't have any intention or desire to cause trouble, the same can
be said of the members group. If we offered no threshold, no challenge,
to those who DO wish to cause trouble, then we'd have a much higher
percetage of them on our system. Our measures will not prevent any and
all possible abusers or abuses, but they do a hell of a lot to reduce the
incidences we actually have to deal with. We still get at least 20 or 30
attempted cracks or attacks on any given day. If we eliminated our ID
threshold, nobody would even be able to use our system, we'd be so
overloaded with assholes with just enough knowledge to be dangerous (as
opposed to the kind we entertain now).
|
gull
|
|
response 138 of 184:
|
Sep 10 02:19 UTC 2002 |
Considering the number of people who try to compile IRC bots and such as it
is, even though they won't work, I'd agree with that assessment.
|
jmsaul
|
|
response 139 of 184:
|
Sep 10 02:41 UTC 2002 |
>If we eliminated our ID
>threshold, nobody would even be able to use our system, we'd be so
>overloaded with assholes with just enough knowledge to be dangerous (as
>opposed to the kind we entertain now).
Not proven. And again, there's a middle ground between allowing completely
anonymous access and making copies of people's drivers' licenses. Why do
you feel it necessary to argue the extremes, when the reasonable solution
is probably somewhere in the center -- take names and addresses.
|
mdw
|
|
response 140 of 184:
|
Sep 10 08:19 UTC 2002 |
We already ask for names & addresses (in newuser). Granted, it's
optional, but it's amazing how many vandals enter <something>. A lot of
it is obviously bogus, -- telephone numbers like "555-0000"), but even
*just* given the number of people who bring bots over, if we gave them
network access purely upon receipt of getting a name/address, we'd be
overwhelmed in no time at all. If we made an attempt to verify those
names/addresses (and I can't think of any free way to do so), that in
itself would consume massive amounts of someone's time, who would
probably quickly fall behind. The latter is something that virtually
every freenet did, after they discovered that offering free internet
access created too many problems.
That is just the bot problem. Vandals present yet another problem.
Vandals normally like to hop through lots of systems to hide their
tracks. I don't think they would have any problem supplying fake data
to us, if that were our policy. There are already web pages out there
that document all of this. We recently asked one site to take grex's
name off their list, on the grounds that we weren't actually useful for
"hop-through" use (and yes, thankfully, they did grudgingly remove our
name.)
|
robh
|
|
response 141 of 184:
|
Sep 10 09:14 UTC 2002 |
Re 133 - FWIW, I routinely use telnet from Grex to access my
other shell account (and vice versa) at least a few times a week.
|
russ
|
|
response 142 of 184:
|
Sep 10 11:34 UTC 2002 |
Re #139: You can "take" names and addresses, but how do you know that
they belong to the person requesting access? I could give you a thousand
names and addresses out of the phone book; it wouldn't mean anything.
If the person making the request obviously had possession of some official
document such as a driver's license (because they were able to copy it),
we've handled that issue.
|
mynxcat
|
|
response 143 of 184:
|
Sep 10 11:53 UTC 2002 |
How do you know its his driver's license. I could send in a copy of my
boyfriend's license, and grex wouldn't be any the wiser. How did getting the
copy od identification help? Grex still doesn't have the right information,
and even worse, has the potential to implicate a third innocent person. If
you're not going to do an actual verification that the person who's id is sent
in is the actual person going to use the account, I see no point in actually
collecting, and then storing, that information
|
scott
|
|
response 144 of 184:
|
Sep 10 12:29 UTC 2002 |
So is anybody going to enter a proposal, or we going to just argue the same
things over and over?
|
gull
|
|
response 145 of 184:
|
Sep 10 12:44 UTC 2002 |
Re #139: Nether.net was almost always unusably overloaded for exactly that
reason, in spite of having far more bandwidth than Grex. It isn't an
exactly parallel situation, since they allowed anyone who ran 'newuser' full
outgoing access. Still, it shows what can happen.
|
jmsaul
|
|
response 146 of 184:
|
Sep 10 18:09 UTC 2002 |
This response has been erased.
|
jmsaul
|
|
response 147 of 184:
|
Sep 10 18:10 UTC 2002 |
Allowing full outgoing access to anyone who runs newuser is just a bad idea.
|
mynxcat
|
|
response 148 of 184:
|
Sep 10 18:13 UTC 2002 |
I agree
|
flem
|
|
response 149 of 184:
|
Sep 10 18:28 UTC 2002 |
Wait, so we're not supposed to use ID to help prevent identity theft, because
someone could beat us by... committing identity theft?
|
mynxcat
|
|
response 150 of 184:
|
Sep 10 18:49 UTC 2002 |
Something like that. It sounds weird, but if grex is not going to be actually
verifying that id, I really don't see the point in collecting and storing that
id.
|
cmcgee
|
|
response 151 of 184:
|
Sep 10 18:55 UTC 2002 |
NO, NO! I need telnet.
I need telnet for weather, for access to UM emails, to play games on the
Internet, for a number of different reasons.
|
mynxcat
|
|
response 152 of 184:
|
Sep 10 19:00 UTC 2002 |
I think he meant no telnet for people who don't pay. Its not a good idea
giving *every* newuser telnet. Get it?
|
cmcgee
|
|
response 153 of 184:
|
Sep 10 19:30 UTC 2002 |
Sorry, I skimmed too many entries *grin*
|
steve
|
|
response 154 of 184:
|
Sep 10 19:43 UTC 2002 |
The reason for asking for ID and not verifying it is a balance between
trying to do something to protect ourselves, but not get some encumbered
in the process that we spend all our time trying to authenticate people
do not do anything else. We also ask for id as a form of vandal protection;
once they hear of the request for ID, the vast majority shy away.
I don't think Grex is overbearing in its requests on this, and I don't
think we need to change much. I haven't read the entire set of responses
however, so I'll do that now.
|
mynxcat
|
|
response 155 of 184:
|
Sep 10 19:46 UTC 2002 |
What happens when you collect id from someone, who has provided false id, and
when you need to hand it over to the police, if required to, you end up
implicating some poor third person?
|
aruba
|
|
response 156 of 184:
|
Sep 10 20:28 UTC 2002 |
All we do is tell the police what we know, which is that the person who
paid for a particular membership sent us a particular ID.
There is no way to tell who uses a paricular account. Even if we carried
out some elaborate check to see that the ID we received actually came from
the person it describes, they can still allow someone else to use their
account, or be careless with their password, or what have you.
So there is no absolute security. There are only compromises. Grex has
made one, with its policy; it's not the only one possible, but it has served
us pretty well so far, I think.
|
steve
|
|
response 157 of 184:
|
Sep 10 20:53 UTC 2002 |
It has worked excellently, so far. I see no reason to change it.
In the case of false ID presented to us, we'd tell the authorities
who got it that it was what we had. What else could we do?
|
russ
|
|
response 158 of 184:
|
Sep 11 03:45 UTC 2002 |
Re #143: Sapna, we don't *know* that the person making the application
is the person named on the license. However, we do know that the
applicant *had possession of* the license. Unless the licensee's wallet
was stolen (and maybe even if it was), the licensee could probably give
investigators a good idea of who made the application. Other forensic
data (such as IP addresses) can exonerate an innocent licensee and finger
the actual guilty party.
If Grex can point investigators down the line, we've carried out our
obligation (and done a pretty good job of deterring vandals).
|