Picking up a thread from item 72.
===========================================================================
#44 of 53: by Mary Remmers (mary) on Wed, Jan 28, 1998 (00:31):
The following is the text of the membership vote which restricted
specific services to members only. A number of reasons for limiting
access are mentioned but I don't see any reference to using these
restrictions as an incentive for folks to send in membership dues.
***************************************
PROPOSAL:
The following internet services enrich the Grex community, do not use
much bandwidth, and do not provide much potential for internet
mischief; therefore they should be made available to all:
Finger
Whois
Ping
Mail (incoming and outgoing)
Incoming Usenet News
Incoming Telnet
Incoming FTP
Incoming Lynx
Talk (and it's various permutations)
Archie
Veronica
WAIS
Gopher (with all Telnet capabilities disabled)
The following services will be restricted to VERIFIED GREX MEMBERS and
VERIFIED GREX USERS (however the board shall define that term) because of
the potential for world-wide mischief:
Outgoing Usenet News
The following services will be restricted to VERIFIED GREX MEMBERS in good
standing, because these services utilize a lot of bandwidth, offer
less of a benefit to the Grex community as a whole, and/or hold the
potential for system cracking and other undesirable activities:
Outgoing FTP
Outgoing Telnet
Outgoing Lynx
Gopher (with telnet capability enabled.)
IRC
Being that the major objection to open access for the above
services is the lack of available bandwidth on Grex's internet
link, It is understood that any of these services may be made
available to all VERIFIED USERS as well as VERIFIED MEMBERS as soon as Grex
acquires a link of suitable power and robustness.
In order to maintain the integrity of both Grex, and of the Internet as a
whole, the Grex board shall have the power to restrict or deny internet
access to groups or individuals who pose a security risk, or who engage in
inappropriate behavior (as defined by the Grex board).
The board may also make modifications to this proposal without resorting
to a member vote in the case of an emergency situation, or if some
provision of this proposal proves to be technically impossible to implement.
VOTE RESULTS:
Results were posted on Wednesday, August 17, 1994.
49 out of 80 eligible voters cast ballots. The Tally: Yes 36 No 13
The proposal passed.
*********************************************
#45 of 53: by Jan Wolter (janc) on Wed, Jan 28, 1998 (11:47):
Wow. Mail is a service that doesn't use much bandwidth? Well, not on a
per-user basis, normally, I guess.
Also, I note that we do allow "outgoing lynx" to all users.
[...deleted...]
The above text raises some other issues that probably ought to be treated
in another item.
#51 of 53: by Steve Gibbard (scg) on Wed, Jan 28, 1998 (18:15):
I'm also ammused by the statement in the voted on policy that ping doesn't
have much potential for abuse. We in fact aren't allowing anybody to run
it, because it can be abused so easily.
#52 of 53: by Gerund Word (gerund) on Wed, Jan 28, 1998 (20:29):
So then pardon me for asking, since I really have no clue, but isn't that
a violation of the result of the vote?
#53 of 53: by Rane Curl (rcurl) on Thu, Jan 29, 1998 (03:33):
Not really - the policy says those things *should* be made available, not
that they will be. Consequently, access to those services are subject
freedly to staff choice, unless overruled by the board (or by a vote).
8 responses total.
I think we have to recognize that what is may not have consider a security problem in 1994 could turn out to be one later. I think restricting "ping" compiles with the intent of the policy, if not the letter. Allowing lynx does comply with the letter of the policy. I suppose if we really wanted to be formally correct, we should either re-enable ping or hold a user referendum on the subject. I consider both options a bit silly, so long as there aren't lots of people crying in the street for ping access. I think Grex's principle of government is to a significant degree consensual. If we are bending the policy in a non-controversial way, I'd say fixing the policy is a low priority - something to keep in mind to do if we are ever making other changes to the policy.
You may have missed my point. Any policy that uses the word "should" is not a policy - it is a guideline and can be violated freely subject only to whatever subjective judgements others may have.
"lynx" is an application. A browser in fact. Because it is what people use, it is what is named in the policy. However, that is all technically incorrect. We limit access not by the application used, but rather by the protocol used. In 1994 we voted not to open outgoing lynx, but that should really read outgoing http. At the time we allowed gopher protocol. Since then, nearly all of the gopher sites have gone, replaced by http sites. At some point we decided (without a membership vote) that http was really meeting the same needs as gopher (only better), and should have been permitted. So, today, lynx can access http and gopher sites, but not ftp sites. Similarly, when it became a problem, staff decided to restrict access to ping. No membership vote was taken. Both of these changes were announced somewhere publicly, I'm sure. If either of these decisions were questioned by the membership, I believe that they are fair game to be reviewed. They were not attempts to circumvent the wishes of the members so much as a reaction to changes in usage patterns on the net or on Grex.
What is ping?
Ping is a program used to test whether another system can be reached across a network. Ping sends out an ICMP (Internet Control Message Protocol) echo request packet, so that if the other computer is up it will receive that and echo it back, shoing the system doing the ping that the other system is up. Normally the packets ping sends out are quite small, and it is a useful tool for network testing and troubleshooting. The problem is that ping allows the user to specify the size of the packets it sends out, so by sending a very large ping a user could make Grex's Internet connection unusable, and could also cause problems for whatever other system they were "flood pinging." If we were going to reenable ping, it would make sense to modify it to take away its ability to send large ping packets. That wouldn't be too hard to do, but since nobody other than the staff really needs to be able to run ping on Grex there wouldn't be much of a reason to put the work into it.
Ping should not be globally enabled. On nether.net I don't bother to deperm it, I just block it at the router level. This way I can see who is trying to attack who. It makes it nicer because people don't break into the routers :)
Color me stupid, but I'm not sure I understand the idea behind this item. I think Grex is as open as it can be right now, given the current level of network connection and CPU it has. The extra speed of the ISDN link is needed to make Backtalk at all usable, and the 670 is going to be barely able to provide "real" service. Given the ever rising expectations that people have in computer services, we're going to have to be better at offering conferencing if we're going to stay viable for random people.
Internet access should be the bare minimum needed to keep ppl interested and involved in *Grex*. Re #6: "who is attacking" whom. -)
You have several choices: