response 139 of 264:

Dec 10 10:27 UTC 1998

It seems to me that perhaps configuring newuser to not allow people to
create accounts in the standard way from that site might be an effective
block that wouldn't cause as much trouble for people.  You could have some
mechanism to allow people to get accounts with some amount of manually looking
at the request to decide whether to make the account, perhaps.

response 141 of 264:

Dec 10 12:23 UTC 1998

   Joel, we could (or already do) have a technical mechanism to stop
newuser from creating the account so someone can look at it, but that
is a very fundemental change to the operation of Grex, and one that I
hope we never never do.

   For one thing, it would be a heck of a lot of work, looking at 
all the requests.  On a busy day we'll get 220 new accounts created
here, so you can imagine how much work that would be, if it took
just 30 seconds to examine each one.

   But the greater problem with it would be that we'd be in the mindset
to 'examine' people when they came to the door, and I'm not sure that
"wanting" (more like demanding) full identification might not come next.

   As it is, the vandals come in with the rest of civil society, and
we haven't had that much of a problem.  Certainly there have been some
problems from time to time, but still--and remember, I'm one of the
ones who deals with them--most, the vast majority of people who come
in here are perfectly fine people.

   IIT is about the only time I have ever seen a situation where
teaching newuser to do something special with a certain IP address
would be possible.  Because that is a gateway, we could block it off
(as we did) or something else, but in thinking about it, that is the
only time I can think of in which the vandals of a certain site have
come in through a guaranteed address.

response 143 of 264:

Dec 10 19:20 UTC 1998

   In the case of a malicious program like a fork bomb, it doesn't matter
where the user runs it.  So if we restricted a user to their home directory,
they could still run such a thing and hurt the system.

   But if I understand your question, the answer is no.  There isn't any
way to restrict people from running programs whereever they find them,
without restricting their access to the "shell", which is one of the neat
things about Grex.

response 145 of 264:

Dec 10 20:55 UTC 1998

No.  Anyway, we *want* people to be able to write and run their own programs.
Some people learn a lot on Grex that way.

response 147 of 264:

Dec 10 21:42 UTC 1998

   To get this item back on track to the discussion of IIT and site banning,
we have heard that IIT has been blocked again, but this time from the IIT
system administrators.  We do not have official word on this yet.

response 149 of 264:

Dec 11 02:36 UTC 1998

   thanks

response 151 of 264:

Dec 12 09:38 UTC 1998

i think it's time for a user of the banned site to make his side of the matter
visible. i am a user from that site, and believe i have some legitimate points
to make.
 + the ip address you tracked is 164.100.25.83 this ip address is a *free*
gateway for telnet, and there is no way anyone can track who logged on as
whom, as there is *no* login. it's free!
 + the actions *does* smack of racism as the focus drifted from 'XXXX
University' to an 'Indian' site.
 + the reason users of this site use grex is:
        a. it's a way of keeping in touch with their friends/relatives abroad.
        b. our telnet and internet gateways are diffrent, and the telnet
bandwidth is 6 times faster than the internet. surfing the web thru grex, or
any other telnet site is thus *faster*.
        c. we have got dedicated e-mail servers, but they cost a lousy 500
bucks and free accounts are available *only* to non-freshers.
 + in response to your 'complain' our uni has already blocked access to grex,
and no further response is necessary, as they are not (and should not be)
concerned with the problems of a free service located in a small US town.
 + 30th November to 3rd January are holiday time here, and *nobody* is there
to respond to your diatribe. we were caught unawares.
 + our uni cannot be held responsible for the actions of a few misguided
hackers, as there is noway to invidually deal with and respond to the 5000+
students that study here or the 3000+ non academic staff that lives in the
campus.
 + ours is *not* a 'small' technical college. ours is a Technical Institute
of national repute, ranked 104 in the world (not bad for an indian
university).
 + the users from this site in particular and indians in general, have had
to suffer severe racist rudeness directed to them, at grex and other
international sites.
  particular instances had been mailed to steve (i hope you got them).
 + steve's statement regarding *not* revealing the name of the 'offending'
site was a sham as he boldly announced it on the message of the day,m when
the users of this site were not present to defend their case.
 + your action *would not* stop the attacks, as the perpetrators would
continue from other places, however it succeeded in stopping all the innocent
users from here.
 +  if such a drastic action was indeed pertinent, all the offending users'
login coulda been erased, or perhaps *all* the users from this site blocked,
instead of publicly humiliating the majority of users who had nothing to do
with it. THEN we would not have complained.
 + as i said in the beginning, there is no way the university can determine
WHO did the crime, and thus no way to deal effectively with it.
 + the reasons you have sited other than the fork bombs, are frivolos and an
excuse to block us from grex. it was brewing for a longer time i suppose.
 + rest assured, nobody from this place is ever going to use grex again, altho
i would keep coming back to see the response to my message.
Congratulations. 

response 153 of 264:

Dec 12 13:49 UTC 1998

Spiff, yours is a very well stated opinion.

I'm sorry you felt it was a racsit act for the staff to protect 25,000 users
of Grex from the actions of a few vandals.  Regretfully it required
inconveniencing about 1,000 users from IIT.  The action was not taken without
consideration of those 998 good grexers who would be effected but who had no
hand in causing the problem.  No one liked that, be we could see no other wway
to deal with the problem after our more usual methods failed to have any
result at all.

Is there racism on Grex?  I'm sure there is.  Any time you collect 26,000
people together, you'll turn up most of the worst (and best) traitys that we
humans have to offer.  I'm sure thatif you investigate any group, anywhere,
you'll tuen up a few stupid, frightened people among th masses of ordinary
and extraordinary people.  

Did racism motivate this decision?  No, I'm quite sure it didn't.  Not because
I believe the Grex staff and board are perfect.  Oh heavens, no!  <grin>  We
we all know a lot about each others warts by now.  But because I've worked
and socialized with the people who made the decision for many years now.  Some
for longer than Grex has been around.  I've seen the excitement in their eyes
as they speak of meeting people from all over on our little system.  I've seen
the pain in their eyes when faced with situations where fairness to everyone
isn't feasible.  They have flaws, we all all them.. Racism isn't one of the
flaws I've ever seen in a Grex staffer or board member.

True, you have only my word for it and you don't know me.  But you don't know
any member of the staff and board except at some distance.  Just as you say
it isn't reasoable to hold IIT adminsitrators, students and staff responsible
for the actions of a few misguided vandals, please understand that any racism
you have experienced her on Grex is not coming from (and is unknown to) anyone
on the Grex board and staff.  If such situations are reported to us, we'll
do what we can to put an end to it.  But we can't be responsible for what we
don't know.

As to "just deleting the accounts" of vandals...with an open newuser program,
that just puts the vandal at an advantage.  At least if the vandal uses a
familiar ID, we know who to watch.  If the vandal uses a new ID every time,
we can't know who they are until the trouble starts.

response 155 of 264:

Dec 12 15:51 UTC 1998

Spif:  Thank you for your thoughts.  A few comments:

 - The actions taken here were never based on racism.  It was made
   because of the problems from a certain site and nothing more.

 - I initially did not talk of the particular site, because I wanted
   to see discussion focused on the issue at hand, not where it was.
   But once we talked of the specifics in this item it no longer made
   sense to try and keep it a secret.  Besides, Grex is an open system
   anyway--all anyone would have to do is examine the wtmp file and
   they'd be able to see the large gap in logins once the block was in
   place, and they'd be able to figure it out.

 - I cannot agree that erasing all the accounts would have been a 
   reasonable thing to do.  That would have destroyed several megs
   worth of private mail, which is hardly reasonable.

 - This may be a time of holiday in India, but we have gotten a response
   from the administrators there.  So "nobody is there" is false.

 - You've said that access to Grex is gone forever.  I do not think that
   is the case.  Thats all I'll say on this matter.

 - You are incorrect in saying that your university cannot determine
   who has done something; there are technical solutions to enable IIT
   (and Grex) to know who has logged in.

 - I'm going to alter the account reapnig procedures such that IIT
   accounts are not removed.

response 157 of 264:

Dec 12 19:25 UTC 1998

It may well be that IIT is running some software package that doesn't keep
track of who is using the Net, doesn't provide any sort of authentication,
etc.  However, unless all the people with access to a site are 100%
trustworthy (perhaps applicible in a private residence or small office, but
not in a large university), that sort of software isn't adaquate.  If IIT did
choose to install software like that, it is very likely to be a significant
problem for them.

There's been an expectation on the Internet, certainly as long as I've been
involved with it (several years), and from what I understand from well before
that as well, thatif vandals are gaining net access through a net connected
site, the administrators of that site will deal with it.  Usually it works
pretty well.  Somebody starts doing malicious things, the victims complain,
the administrators of the site check their logs and find out who it was, and
the perpetrator either gets a stern talking to or their account gets taken
away.  Occasionally, as in this case, that breaks down.  None of the publicly
listed contact information for IIT was working for finding people who would
respond to this kind of problem.  At that point, in dealing with something
like this, there are really only three things that can be done.  One is to
ignore the problem and hope it goes away, but in this case it clearly wasn't.
The second is to call in law enforcement agencies for help, but that's
difficult even in domestic cases, and getting US law enforcment to go after
somebody in India for something done to Grex would, I suspect, be pretty
difficult.  The third thing that can be done is to block the site until it
gets taken care of.  That's what we did.  This is not a case of racism.  If
we were having that problem with a site in the US, we would have done the same
thing.  Apparrently, it worked, as we now have a few IIT administrators who
are working on resolving the situation.

spiff says that the IIT can't be responsible for what happens on a free system
in the US.  Unfortunately, Grex can't be responsible for policing users from
the IIT, or anywhere else, either.  Grex's concept of public access and an
open newuser system works because when there are problems, we don't have to
know who our users are.  We can complain and their providers will deal with
them.  If the IIT were unwilling to take responsibility for the actions of
its users, they would not be very compaitble with Grex.  Given that much of
the rest of the public Internet sites work on the same principle, such a place
would not be very compatible with much of the Internet.  Fortunately, the IIT
does seem to be working to fix things.

response 159 of 264:

Dec 13 09:38 UTC 1998

as the issue seems to be finally resolved, (you succeeded in getting a
response from IIT), i feel pertinent to make a few closing remarks, for
the cause of cleaning whatever scum that might have remained.
 + it IS a holiday time in IIT, and as i said there are NO STUDENTS in
IIT at this moment. altho some of us are remaining here to do winter
projects. most of the sysads were away, and this explains the delay.
moreover, IIT had taken action internally as early as you sent your
first mails, of blocking access to Grex. no further response was
possible from the students as the site was blocked.
 + what might have appeared to most of you as a THREAT, was NOT. it
means that, most of the IIT grex users, as they are away on holidays,
when the events unfold, will not ever know what happened, assuming for
some reason the access to Grex is unavailable.
 + as i said earlier, vandals would continue to log in from other
places, and the desired outcome will never be achieved.
 + Grex certainly doesn't owe IIT anything. and it certainly doesn't owe
us the humiliation that was imparted to us, FOR NO FAULT OF OUR OWN.
 + you not finding a better way DOES NOT default to using this as an
excuse,and cerainly not passing the entire responsibility to us.
 + IIT DOES allow telnetting. (setting the records straight)
 + the one thing i DO agree to is IIT should have a way to track down
the offenders, as such events have happened in the past.
 + my suggestions for preventing further misuse :
        a. don't allow binaries, not provided by you, to be run on the system,
as is done by other sites like shellyeah. this might infringe on your
Grex objectives, but according to my experience, most users already have
available alternative UNIX shells to practice programming.
        b. don't allow multiple logins at the same time, as is done (prevented)
by diversion.com and others.
        c. screening of all hack sites. this you can certainly do.
        d. setting up a netiquette questionnaire as shellyeah does, and
requiring the newuser to score a benchmark or higher.
 + we do agree that steve and company are certainly not racists, and
realize that no actions were taken against users who ARE, simply because
WE were not complaining. (A way of life for us.)
 + how can anybody be harassed when users have the options to shut their
messages? this i continue to regard as frivolos and humiliating. (in
response to allegations of female harassment.)
 + it has broken one string of communication between us and our dears
abroad.:-( 
 + a final comment. the matter COULD have been handled far more
discreetly.

response 161 of 264:

Dec 13 15:21 UTC 1998

Just for further clarification:  spiff mentions above that the holiday period
begins 30 november.  when were the first staff communications to IIT admin
in response to the concerns described here?

I would like it made very clear that the public airing of this issue was *NOT*
a first response, or even a second, third or tenth, but rather was a LAST
DITCH effort to find the best solution for the largest group of users.

response 163 of 264:

Dec 13 20:25 UTC 1998

   We were first fork bombed in around the 20th of August.  That was
when I started noticing 164.100.25.83, and started looking for a way
to contact people there.  At that time it was a single incident, and
I didn't worry too much about not being able to get to the admins to
talk with them.  That obviously changed over time, as I observed the
various problems we've talked of.

   As for handling the matter more discreetly, I don't see how.  The
fact of the matter is that we didn't take any drastic actions until
1) we'd been hit several times, 2) failed in repeated attempts to
contact people there.  If that isn't being reasonable, I don't know
what is.

   Your stating that IIT wasn't a threat doesn't make sense: the
system was disabled, five or more times from a single IP address.
That doesn't consitiute a threat?

   You are correct in saying that by blocking users from running
their own programs the fork bombs could be avoided, but that isn't
what Grex is about.  Grex is an open system and has always been so.
Given how many logins we get in any given day the number of malicious
programs is still extremely small.  I think Grex has proven that the
concept of openness works.

   We do talk in newuser about what Grex cannot do.  I'm not sure
what you think that a more advanced questionare would do, other than
use more CPU.  The people who like to hurt systems would obviously
say whatever that got them into the system, which is the problem,
isn't it?  The same thing applies for 'scanning for hack sites'.
Besides the fact that you can't reliably do it, it would be an
incredible drain on the Grex staff.

   As for harassment not being important, not all users know how
to turn their permissions off, but moreover, why should they?  To
say that harassing users should be shut out by shuting out everyone
isn't reasonable.  No one should have to endure suggestive messages.