|
Grex > Coop13 > #357: Member initative: Getting rid of ID requirements | |
|
| Author |
Message |
| 25 new of 58 responses total. |
scholar
|
|
response 8 of 58:
| 
Sep 2 06:21 UTC 2006 |
Re. 6: I want to help all people become members without submitting ID.
Re. 7: They only accept Paypal 'verified' accounts, and it's a hassle to get
verified.
Also, a lot of people just won't use Paypal. And based on what I've heard
about Paypal, I can't say I blame them.
|
naftee
|
|
response 9 of 58:
|
Sep 2 16:51 UTC 2006 |
I don't use Paypal, and would gladly buy a Grex membership were there no ID
rule.
|
aruba
|
|
response 10 of 58:
|
Sep 2 23:48 UTC 2006 |
I would like us to have more members too. The ID requirements were set up
with the intention of making them easy for people to meet; that's why we
accept a plethora of different IDs.
It's true that it's possible to forge ID to become a member of Grex. It's
even happened once that I know of. (Well, someone sent an ID stolen from
someone else.) But, if someone does that, then they have committed fraud,
and can be prosecuted for it. If, on the other hand, we were to allow
someone who is unverified access to services which they used to do something
illegal, it is *we* who have failed.
I'm sure it's true that requiring ID from members has cost Grex money.
And it's certainly cost me a lot of hassle. I am also 100% certain that
requiring ID has prevented people from becoming members and using Grex for
activities that would get both them and us in trouble.
|
naftee
|
|
response 11 of 58:
|
Sep 3 02:19 UTC 2006 |
But you have to admit that now, in 2006, there are much easier ways to cause
trouble on the Internet without a GreX membership than it was when the ID
rule was created. A "cracker" would have to go out of their way to send you
a cheque or money order or whatever to get outbound access from GreX when it
is far easier to
use certain web proxies to achieve the same effect. I even welcome you to
suggest something that a "cracker" could do on GreX that he wouldn't be able
to do more easily elsewhere on the internet. Spamming ? Free e-mail bomb
sites are easy enough to find; ask Winn Schwartau.
Anyway, I promise not to use GreX for anything bad if I had a membership.
Would you take my word for it, instead of ID, aruba ?
|
nharmon
|
|
response 12 of 58:
|
Sep 3 02:21 UTC 2006 |
In god we trust, everyone else must show ID. :D
|
trig
|
|
response 13 of 58:
|
Sep 3 03:53 UTC 2006 |
totally unlucky.
|
scholar
|
|
response 14 of 58:
|
Sep 3 05:20 UTC 2006 |
re. 10: Given the ease with which one may forge ID that will be accepted by
Grex, requiring ID provides no more confidence in someone's identification
than just taking their word for it would. It does, however, cost Grex money.
|
remmers
|
|
response 15 of 58:
|
Sep 3 17:00 UTC 2006 |
(See Item 354, resp. 14 - resp:354,14 - for the rules governing voting
on member proposals.)
The issue is a bit complex because membership confers several different
tangible benefits:
(1) For US taxpayers, a tax write-off (since we're 501(c)3).
(2) Participation in governance (eligible to vote, serve on the board,
make proposals).
(3) Access to various outbound internet services.
I don't think I'd support an across-the-board removal of ID
requirements, especially as regards (2): We owe it to folks to make a
good-faith effort to ensure one-person-one-vote.
Also, being incorporated in Michigan means that Grex is subject to
certain rules regarding maintaing a list of member names and addresses.
I'm not sure what that implies about ID requirements.
|
aruba
|
|
response 16 of 58:
|
Sep 3 17:34 UTC 2006 |
It's a fallacy to assume that because the system can be beaten by a
determined person, it must not be doing any good. I'm convinced that
requiring ID prevents some people from using Grex in ways that will get us
into trouble. I'm sorry, Brett, I don't know the technical details, but I
do know that we have often had a lot of people pay for memberships $6 at a
time, just to use our internet services. I also know that during the period
when we accepted credit cards directly, we had several people become members
using stolen cards. So there are people out there who want to use Grex as
an anonymizer to do something they can't do without being in the internet
group.
Well, I admit my data is a few years out of date. Maybe no one wants to do
these things anymore. But I doubt it.
The argument, "There are much better platforms than Grex to use for cracking
systems, therefore we don't need to worry about crackers on Grex" is also a
fallacy. The point is that *if* we provide someone with the means to do
something illegal/unethical/obnoxious and *if* they do it, then we are
complicit. Whether or not they could have done it better elsewhere.
|
steve
|
|
response 17 of 58:
|
Sep 3 17:39 UTC 2006 |
Quite true. Grex is a platform that can be used for bad things. If
anyone doesn't believe that, please remember the problems we've had with
email, and why we had to turn off automatic outbound mail access for new
accounts. Today we see people running exploits on port 80 (usually Perl
programs) to attack sites, because we allow that port.
With fewer systems like Grex on the net, Grex becomes a target for
folks trying to do things.
|
cross
|
|
response 18 of 58:
|
Sep 3 20:05 UTC 2006 |
"systems like Grex" is relative. If you mean open-access Unix systems, that
may be true, but it's my impression that there is less interest in such things
than there once was. On the other hand, if you mean Unix systems period, then
the number of such things has exploded since grex first came online, and grex
is certainly not that interesting.
Personally, I'd like to see some current data driving the rationale for things
like the ID requirement. I see at least one counter-point that indicates that
NOT having such a thing works (mnet), but none so far that show that it has
ever done any good.
|
naftee
|
|
response 19 of 58:
|
Sep 4 01:55 UTC 2006 |
re 16
Give me one of those "bad things" that can be accomplished on GreX.
And wouldn't you agree that if a cracker found GreX to be adequate for his
needs, he would be smart enough to find a way to fake some sort of ID? Don't
forget that the more stringent you make your ID requirements, the more likely
it is that someone is going to say "screw it; it's only GreX".
I would also like you to give me an example of a cracker using GreX in a
malicious way who was eventually caught thanks to him giving his ID to gain
membership access. If there has not been such a case, then this ID rule
really is a "just in case" policy that is frankly not worth it anymore.
|
scholar
|
|
response 20 of 58:
|
Sep 4 02:34 UTC 2006 |
re. 15: Grex would still require the IDENTIFICIATION of members.
|
steve
|
|
response 21 of 58:
|
Sep 4 04:18 UTC 2006 |
Yes, a determined vandal could indeed make up false ID and send it in,
but the idea of having to do that is a repellant, such that, as far as I
know its happened only one time and the person using the false ID didn't
do anything with their account. As far as "bad" things that can be done
on Grex, it is primarily Perl scripts such as udp.pl which are either
udp flooders, or attacks on BBS's (I've seen at least three varients on
udp.pl).
Yes, there is less interest in systems like Grex now, since anyone
could create a small unix system of their own to play with. However
we still get people who use Grex to learn about unix, and at least a
dozen people in the last couple of months who've been doing C coding.
It suprises me that there are still folks who need to use Grex for
that kind of thing, but its one of the reasons we're here, so thats
neat.
|
scholar
|
|
response 22 of 58:
|
Sep 4 04:22 UTC 2006 |
No need to be 'determined'.
I'm sure I could whip up fake ID that would be acceptable to Grex in five
minutes.
The only thing the ID requirement seems to deter is donations to Grex, and
that's a shame.
|
steve
|
|
response 23 of 58:
|
Sep 4 04:26 UTC 2006 |
No, the ID requirement doesn't deter donations, scholar. Grex gets money
from the people who like Grex and "get" helping out, quite regardless of
what else they need to do. In that sense, Grex is like public radio--only
a small fraction of the users send in money. We can make it easier for
folks, like offering Paypal. Things like that help Grex out more.
I'll also point out that very very few people have ever complanined
about the ID requirement in the time that we've been doing this.
|
scholar
|
|
response 24 of 58:
|
Sep 4 04:28 UTC 2006 |
Really?
Aruba, who is the treasurer, has said in this very item that the ID
requirement has deterred donations to Grex.
Why do you doubt him?
|
steve
|
|
response 25 of 58:
|
Sep 4 04:35 UTC 2006 |
It's not that I "doubt" him, but that I disagree that it has "hurt" Grex.
Yes, I'm sure there are some people who might not have joined, but calculating
the exact number is impossible, and my conversations with people about why
they wern't members were mostly along the lines of what we didn't offer, that
would be an inducement to join. Chiefly among these were the ability to POP
mail from Grex, and the ability to use graphical files on Grex web pages.
|
scholar
|
|
response 26 of 58:
|
Sep 4 04:41 UTC 2006 |
I'm glad you now agree that the ID requirement has deterred donations, though
I'm not sure why you think this hasn't hurt Grex.
|
steve
|
|
response 27 of 58:
|
Sep 4 04:43 UTC 2006 |
Sigh. Almost *any* policy in any endevour is going to have some kind
of negative effect. This was no different. What I am saying is that I
don't think it had a significant effect, compared to say our policy of
not allowing POP, for example.
|
naftee
|
|
response 28 of 58:
|
Sep 4 16:09 UTC 2006 |
re 21
Wow. That's perfect. So the only case that we know about of a person using
fake ID to become a member ended up being a person who was not a vandal. And
there has never been a case so far that the person who sent in valid ID to
become a member was caught vandalising and persecuted with help of that ID.
Clearly, the ID rule is in place not to deter vandals, but to deter people
who would donate money to GreX.
UDP flooders? A simple google search of "UDP flooder" brings up at least 3
websites with links to cracker programmes that do what you mention. A cracker
could go to an internet cafe and UDP flood to their heart's delight with those
programmes. GreX just isn't an efficient cracking platform anymore. It is,
however, a great teaching platform, as you mentioned. The extra priviledges
could be given to students who would like to do more with UNIX.
|
aruba
|
|
response 29 of 58:
|
Sep 4 17:37 UTC 2006 |
Again, the fact that Grex is not an efficient cracking platform doesn't mean
it isn't a potential cracking platform. I don't want us to be responsible
for helping someone do something illegal.
It's clearly a tradeoff: requiring ID hurts us in some way and helps us in
others. We're arguing about the amount it helps us and the amount it hurts
us, not whether it hurts us and helps us.
THe person who sent Grex a stolen ID didn't get a chance to do anything with
his membership privileges, because they were revoked as soon as I realized
the ID was stolen. So the example doesn't tell us anything about what kind
of people send in fake IDs.
But, I think the answer is, not many people are willing to send fake or
stolen IDs to Grex. And that's a good thing.
|
scholar
|
|
response 30 of 58:
|
Sep 4 20:04 UTC 2006 |
Nor are many people willing to use Grex as a 'cracking platform', but I bet
most of the people who do that would also be willing to send in fake ID.
Your contention that this is a disagreement about merely the degree to which
things help or hurt Grex mischaracterizes my argument. I believe the ID
requirement only hurts us, and that anyone willing to use Grex to do malicious
things is going to be more than willing to send Grex fake identification.
However, since most people don't seem to believe that, perhaps it would be
a better proposal to 'delink' membership privileges from network privileges,
allowing the latter only to those who have, at least in theory, had their
identity verified by Grex.
|
steve
|
|
response 31 of 58:
|
Sep 4 20:29 UTC 2006 |
I dunno Mark. This wasn't a problem until certain problem people
decided to make it a "problem".
|
kingjon
|
|
response 32 of 58:
|
Sep 4 20:34 UTC 2006 |
Re #30: 80% or more of the help requests I get (via "write help" -- and they
became so common this summer I started making my habitual first command on Grex
"mesg -h n") are asking for pointers on activities that either are or could be
interpreted as cracking. (I include "how to set up an IRC bot on Grex" in
"could be interpreted as".)
|