response 90 of 264:

Dec 4 23:16 UTC 1998

It is trivial to type in a fork bomb.  This response is *much* larger
than a fork bomb.  Blocking ftp will not impede any vandal wanting to
run a fork bomb on grex.

response 92 of 264:

Dec 5 01:11 UTC 1998

Re resp:89 - The reason for reopening is not because anybody thinks
the problem is solved.

response 94 of 264:

Dec 5 03:50 UTC 1998

   I hear what Steve is saying.

   Are there other people who agree that this shouldn't be lifted?
I'm working on the mail anyway.

response 96 of 264:

Dec 5 05:32 UTC 1998

My own cynical belief is that we will lift the site ban; some vandal 
from that site will attack grex again; and we will reimpose the site 
ban.  However, as there seem to be 1000+ Grex users from this site --
presumably at least some of them nice people -- we need to lift the 
ban, at least for a little while, to explain what has happened to 
them, and to allow the legitimate users to download their e-mail and 
make other arrangements.  
 
And this is another reason to use the MOTD to communicate with the users
at this site: composing and sending the e-mail is adding days to the 
interruption these users are seeing.  The ban has been on for a week;
it would be good if Grex were prepared to lift the ban for Monday
morning, Indian time.

response 98 of 264:

Dec 5 06:10 UTC 1998

   Well, I got the name of the director of computing, and what may
be a good email address for this person.  I'm going to see if that
does any good.

   There apparently is a mail machine there, but the person I talked
to just got mail dated November 17th, today.  Small wonder then, given
the glacial speed of the machine that they'd be trying to use anything
else.

response 100 of 264:

Dec 5 07:30 UTC 1998

   I think it would be better to simply lift the ban, and see what
happenes after sending mail to all of them.

   We could do things as you suggest, but I think thats more work
than cleaning up after them.  And, sets a precident of tweaking
that I don't think we should do.  If things come down to it, cut
access off cleanly, and simply ban them.

   But I'm thinking that with a little luck we can deal with this
problem.

response 102 of 264:

Dec 5 10:19 UTC 1998

It's pretty trivial to write a fork bomb in assembler too.  Or ftp a
binary over.  Or to use "adb" to compose one here.  Or to send one over
as a MIME attachment, or to use http: to fetch one.  So "fixing" this on
grex to make it impossible for someone to ship over and run a fork bomb
on grex is not a trivial exercise.  The problem is here is that you're
breaking a fundemental design principle of grex, and in order to "fix
it", you pretty much have to rethink every single software decisions
we've made on grex.

It would be simpler to just teach grex to do something more intelligent
about fork bombs to start with.  Long ago, I did, in fact, do some
kernel hackery on the m-net altos to do just this; I patched bits of the
OS to notice when memory seemed to be getting a bit short, and to locate
the most greedy normal user and to kill everything they owned, violently
and with much prejudice.  Doing this sort of thing took a *lot* of work,
and would be significantly harder to do on grex today.  We have, in
fact, implemented some things that make fork bombs not as bad as they
used to be (like we don't have to reboot the system to fix them), but
doing much better than this requires a *lot* of very specialized hard
work.

It is worth remembering, too, that fork bombs are just one form of
denial of service attack.  There are also network flooding tricks that
can be done.  Network flooding problems can't be solved on grex.  The
only way to stop them is to wait until "they" get tired, block them
somewhere far enough downstream that they can't dam up legitimate data
traffic, or beg their ISP to stop the problem.  Technical fixes only go
so far.

Yes, we could start fiddling with newuser & permissions, so that we
could gain the effective ability to deny random 164.100.*.* users access
to grex.  It would really be rather a lot of work, as we take on the
responsibility to act as parents to non-native speakers of english
located about as far away as you can get from grex and still remain on
this planet.  There *are* people who thrive on this sort of power trip.
Fortunately, none of them are on grex staff, and I am not surprised to
discover krj is not one of those people either.

response 104 of 264:

Dec 6 09:19 UTC 1998

   OK.  I have the entry for the MOTD, and the email which will
be sent to the active accounts from the site.

   The MOTD announcement is in ~steve/p1, and the mail is in
~steve/p2.

MOTD:
  To ALL users from IIT Kharagpur (IP address 164.100.25.83):
  
From November 30th to December 6th, Grex blocked all access from
your site, after several serious incidents occured which hurt the
functionality of Grex.  Access to Grex has been restored while we
are attempting to talk with administrators at your site.  We have
done this to inform all IIT users of why the ban was enacted.  In
your mailbox is a further explaination for you to read.  You need
to read this mail immediately.

GREX WILL REINSTATE THE BLOCK--POSSIBLY PERMENENTLY--IF MALICIOUS
BEHAVIOR CONTINUES. 


Mail to be sent:
   An explaination of why Grex blocked access from IIT-Kharagpur

Over the last several months Grex has experienced several problems
with users from 164.100.25.83.  These problems have been serious
and frequent enough to cause us to take the unprecidented action
of blocking an entire system from Grex.

In particular, several "fork bombs" have been run which use all
available CPU such that the system is made useless.  Other problems
include downloads of files and harassment of female users.

Please understand that Grex is a very small system, maintained by
an all-volunteer staff.  Not affiliated with any university or any
government, Grex lives by donations from it's paying members and
by fundraisers.  No one is paid for the work they do here and
Grex survives on an incredibly small budget.  Since 1991 we have
provided computer conferencing, email and general computer access
to the Ann Arbor Michigan area.  In Janurary 1994 Grex became
available to the world, and to date people from more than 122
countries have used Grex.

Grex's openness needs the trust that its users will not do things
to hurt the system.  By and large that has been the case, though
"vandals" do try things such as breaking the security here.

Unforunately, there are users from IIT who have run things like
"fork bombs".  This has happened at least four times in the recent
past.  When such a program is run on Grex it deprives many people
from using Grex, and even after such a program has been removed
its effects are still felt, as the system struggles to catch up on
all the mail that it missed while the bomb was running.

There have also been incidents where female users have been
harassed, and many MANY downloads of large files have occured,
often after repeated requests to not do this.

Grex cannot tolerate these kinds of behavior.  The system is too
small, and the staff have enough things to do without the added
burden of constantly telling users from IIT what things are not
acceptable.  It should be self evident that harassment of anyone
is not proper, nor is running software designed to harm a system.

We have lifted the block from your system in order to explain this
to all users of IIT.  We recognize that the majority--the vast
majority--of IIT users are perfectly fine people, and that we have
caused inconvience to a great many people in blocking IIT.  We
understand that there are perhaps more than one thousand active
users who have mail on Grex, and it was with regret that we took
this action.  However, the effect of denying access to IIT users
had to be weighted against the greater good of the system.

It is our sincere hope that the problems we have experienced stop,
and allow Grex to keep its open-door policy to the world in effect.
However, if more severe problems occur we will have to re-evaluate
our position on granting access to IIT.  This is something we have
never had to formulate a policy on, but we will if pressed.

Specifically, we are asking for the following from all IIT users:

 + To not bring over, or compose software designed to harm Grex or
   any other system.

 + To respect the limits of Grex's Internet bandwidth, by not
   using Grex for *ANY* file downloads other than to retrieve
   mail.  This means not using Grex to

   - receive files larger than 100K;

   - using Lynx to obtain graphical/audio/compressed files, and
     then FTPing them elsewhere;

   - send mail larger than 100K.

 + To not harass other users, including talking to someone if they
   have asked to be left alone.  No one on Grex should be bothered
   by others; everyone was the right to use Grex and to expect that
   they will not be harassed or bothered by others.

Please help us.  This is something we have never had to do before
and it has been neither easy or pleasent.  We are hoping that by
explaining this to you, there will be talk of this at IIT and it
will be realized that the behaviors that caused us to take these
actions are not acceptable.

If you have any questions or comments about this please send
mail to staff@cyberspace.org.  There is also discussion of this
in the "coop" conference, item 47.  The coop conference is the
place where policy issues are talked of, and ALL are welcome to
participate.

                                    --STeve Andre'
                                    Grex staff member

response 106 of 264:

Dec 6 16:21 UTC 1998

I think there should be a direct appeal in there for users to let their
system administrators at IIT know that they use Grex and don't want to see
themselves cut off in the future.  The mail doesn't mention the main
difference between this site and others from which people have caused
problems: namely, that the system administrators at IIT have been
unresponsive.  So if I were a responsible user and I got this mail, I
wouldn't think there was much of anything I could do about the problem. If
I were a vandal, I wouldn't care.  I think we need to try to get the
responsible people on our side.

Correct me if I'm wrong, but ultimately what we need is to have a contact
person there to whom staff can send mail when there is a problem
(attaching logs and other info to help them figure out who the perpetrator
is); a person who will then take action to discipline the person who is
the source of the problem.  I  think we should use the responsible users
to convince the system administrators that we are worth the trouble of
talking to.

response 108 of 264:

Dec 6 16:53 UTC 1998

   No, given that these people all speak English as a second
language we should use the King's English, I think.  I've found
and corrected all the typos in p1 and p2.   Someone who likes
going over this might want to look at those two files.

response 110 of 264:

Dec 6 19:27 UTC 1998

Um, I wouldn't word this as if it was a punative thing against IIT users. 
It sounds like IIT users are an evil bunch who all need to reform or we will
punish them all.  IIT certainly isn't the only site with users who have done
bad things to us in the past.

Instead, we should be emphasizing that the ban was there because their system
administrators wouldn't respond to our complaints, and wouldn't help us
correct the problem, and that if we're getting problem users from a site that
won't deal with things like that, it makes running Grex pretty impossible.
That is why we banned them, isn't it?

response 112 of 264:

Dec 6 20:13 UTC 1998

So if we had a few problems with a site, and administrators there who were
working very hard to solve it, would we have blocked the site as readily?

Ok,  here's how I'd word it:

Dear IIT users (or however you want to start it),
        From (date) to (date), we blocked access  from your site.  This was
done because we were not able to get a response from system administrators
at your site  after having a large number of problems with users from there.
Over the last several months, we have had repeated problems with users from
your site attacking Grex in ways that have bogged the system down and forced
tour staff to spend lots of time cleaning up after them, as well as users from
your site harrassing many of our female users.  Both of these are obviously
not acceptable uses of Grex.

IIT Cerainly isn't the only site we have had problems from.  However, in
general, if something like this happens, we complain to the administrators
of the site and the problem gets taken care of.  At this point, despite having
sent in repeated complaints, we have received no response from the
administration of IIT, nor have we seen any evidence that they are working
to resolve the situation.  Given the number of problems we have had from users
of your site, and the complete lack of response from the administration there,
the only way we were able to solve this problem was to ban your site from
Grex.  This is not something we like doing, but we really don't have any
alternative.

We have no temporarally lifted the site ban, to let you know what's going on
here.  If the problems continue, and if the administration there continues
to ignore our requests for help with the problem, the ban will be reinstated
until we are convinced that the problems have been solved.

response 114 of 264:

Dec 6 21:17 UTC 1998

Thanks Misti.  That looks good.