I am a member in good standing and this is a member initative. The proposal is as follows: Members of Cyberspace, Inc. will not be required to provide identification.58 responses total.
According to http://www.cyberspace.org/memfaq.html#whydoineedid , proof of identification required because: 1. While we are very comfortable allowing anonymous users access to Grex, we are not comfortable unleashing them on the rest of the Internet. It would be irresponsible of the Grex administration to allow people we can't identify to telnet through Grex to other systems, so we require ID from everyone we allow to do that. 2. Cyberspace Communications is required by the state of Michigan to maintain an up-to-date list of members. Implied in this requirement is that we make sure no two memberships are held by the same person. So we require ID to connect accounts with real people and make sure no one has the ability to vote twice in Grex elections. These reasons are invalid for a number of reasons: 1. It's incredibly easy to forge I.D. that would be accepted by Grex. 2. If someone wants to vote twice, they could just sign up their friend, their spouse, their sometimes lover, or whatever. 3. Member verification is *not* required by Michigan law. 4. Many other organizations in Michigan, including Arbornet, Inc., do not require I.D. from their members and do not appear to have had any problems. Basically, the I.D. requirement does nothing to stop any of the problems it's meant to stop, does not help us comply with the law, and inconveniences potential members. It should be abolished.
I endorse taking this to vote. We need five more endorsements.
I 2nd this motion.
excellent proposal, scholar
By the way, my purpose in proposing this is to a) cut down on hassle and b) get new members for Grex. With the rate at which membership has been falling, it is in Grex's interest to make becoming a member as easy as possible. I know of at least one person who would sign up if the identification requirements were dropped.
Don't forget, you want to help naftee become a member without making him submit ID.
Psst...paypal
Re. 6: I want to help all people become members without submitting ID. Re. 7: They only accept Paypal 'verified' accounts, and it's a hassle to get verified. Also, a lot of people just won't use Paypal. And based on what I've heard about Paypal, I can't say I blame them.
I don't use Paypal, and would gladly buy a Grex membership were there no ID rule.
I would like us to have more members too. The ID requirements were set up with the intention of making them easy for people to meet; that's why we accept a plethora of different IDs. It's true that it's possible to forge ID to become a member of Grex. It's even happened once that I know of. (Well, someone sent an ID stolen from someone else.) But, if someone does that, then they have committed fraud, and can be prosecuted for it. If, on the other hand, we were to allow someone who is unverified access to services which they used to do something illegal, it is *we* who have failed. I'm sure it's true that requiring ID from members has cost Grex money. And it's certainly cost me a lot of hassle. I am also 100% certain that requiring ID has prevented people from becoming members and using Grex for activities that would get both them and us in trouble.
But you have to admit that now, in 2006, there are much easier ways to cause trouble on the Internet without a GreX membership than it was when the ID rule was created. A "cracker" would have to go out of their way to send you a cheque or money order or whatever to get outbound access from GreX when it is far easier to use certain web proxies to achieve the same effect. I even welcome you to suggest something that a "cracker" could do on GreX that he wouldn't be able to do more easily elsewhere on the internet. Spamming ? Free e-mail bomb sites are easy enough to find; ask Winn Schwartau. Anyway, I promise not to use GreX for anything bad if I had a membership. Would you take my word for it, instead of ID, aruba ?
In god we trust, everyone else must show ID. :D
totally unlucky.
re. 10: Given the ease with which one may forge ID that will be accepted by Grex, requiring ID provides no more confidence in someone's identification than just taking their word for it would. It does, however, cost Grex money.
(See Item 354, resp. 14 - resp:354,14 - for the rules governing voting
on member proposals.)
The issue is a bit complex because membership confers several different
tangible benefits:
(1) For US taxpayers, a tax write-off (since we're 501(c)3).
(2) Participation in governance (eligible to vote, serve on the board,
make proposals).
(3) Access to various outbound internet services.
I don't think I'd support an across-the-board removal of ID
requirements, especially as regards (2): We owe it to folks to make a
good-faith effort to ensure one-person-one-vote.
Also, being incorporated in Michigan means that Grex is subject to
certain rules regarding maintaing a list of member names and addresses.
I'm not sure what that implies about ID requirements.
It's a fallacy to assume that because the system can be beaten by a determined person, it must not be doing any good. I'm convinced that requiring ID prevents some people from using Grex in ways that will get us into trouble. I'm sorry, Brett, I don't know the technical details, but I do know that we have often had a lot of people pay for memberships $6 at a time, just to use our internet services. I also know that during the period when we accepted credit cards directly, we had several people become members using stolen cards. So there are people out there who want to use Grex as an anonymizer to do something they can't do without being in the internet group. Well, I admit my data is a few years out of date. Maybe no one wants to do these things anymore. But I doubt it. The argument, "There are much better platforms than Grex to use for cracking systems, therefore we don't need to worry about crackers on Grex" is also a fallacy. The point is that *if* we provide someone with the means to do something illegal/unethical/obnoxious and *if* they do it, then we are complicit. Whether or not they could have done it better elsewhere.
Quite true. Grex is a platform that can be used for bad things. If anyone doesn't believe that, please remember the problems we've had with email, and why we had to turn off automatic outbound mail access for new accounts. Today we see people running exploits on port 80 (usually Perl programs) to attack sites, because we allow that port. With fewer systems like Grex on the net, Grex becomes a target for folks trying to do things.
"systems like Grex" is relative. If you mean open-access Unix systems, that may be true, but it's my impression that there is less interest in such things than there once was. On the other hand, if you mean Unix systems period, then the number of such things has exploded since grex first came online, and grex is certainly not that interesting. Personally, I'd like to see some current data driving the rationale for things like the ID requirement. I see at least one counter-point that indicates that NOT having such a thing works (mnet), but none so far that show that it has ever done any good.
re 16 Give me one of those "bad things" that can be accomplished on GreX. And wouldn't you agree that if a cracker found GreX to be adequate for his needs, he would be smart enough to find a way to fake some sort of ID? Don't forget that the more stringent you make your ID requirements, the more likely it is that someone is going to say "screw it; it's only GreX". I would also like you to give me an example of a cracker using GreX in a malicious way who was eventually caught thanks to him giving his ID to gain membership access. If there has not been such a case, then this ID rule really is a "just in case" policy that is frankly not worth it anymore.
re. 15: Grex would still require the IDENTIFICIATION of members.
Yes, a determined vandal could indeed make up false ID and send it in, but the idea of having to do that is a repellant, such that, as far as I know its happened only one time and the person using the false ID didn't do anything with their account. As far as "bad" things that can be done on Grex, it is primarily Perl scripts such as udp.pl which are either udp flooders, or attacks on BBS's (I've seen at least three varients on udp.pl). Yes, there is less interest in systems like Grex now, since anyone could create a small unix system of their own to play with. However we still get people who use Grex to learn about unix, and at least a dozen people in the last couple of months who've been doing C coding. It suprises me that there are still folks who need to use Grex for that kind of thing, but its one of the reasons we're here, so thats neat.
No need to be 'determined'. I'm sure I could whip up fake ID that would be acceptable to Grex in five minutes. The only thing the ID requirement seems to deter is donations to Grex, and that's a shame.
No, the ID requirement doesn't deter donations, scholar. Grex gets money from the people who like Grex and "get" helping out, quite regardless of what else they need to do. In that sense, Grex is like public radio--only a small fraction of the users send in money. We can make it easier for folks, like offering Paypal. Things like that help Grex out more. I'll also point out that very very few people have ever complanined about the ID requirement in the time that we've been doing this.
Really? Aruba, who is the treasurer, has said in this very item that the ID requirement has deterred donations to Grex. Why do you doubt him?
It's not that I "doubt" him, but that I disagree that it has "hurt" Grex. Yes, I'm sure there are some people who might not have joined, but calculating the exact number is impossible, and my conversations with people about why they wern't members were mostly along the lines of what we didn't offer, that would be an inducement to join. Chiefly among these were the ability to POP mail from Grex, and the ability to use graphical files on Grex web pages.
I'm glad you now agree that the ID requirement has deterred donations, though I'm not sure why you think this hasn't hurt Grex.
Sigh. Almost *any* policy in any endevour is going to have some kind of negative effect. This was no different. What I am saying is that I don't think it had a significant effect, compared to say our policy of not allowing POP, for example.
re 21 Wow. That's perfect. So the only case that we know about of a person using fake ID to become a member ended up being a person who was not a vandal. And there has never been a case so far that the person who sent in valid ID to become a member was caught vandalising and persecuted with help of that ID. Clearly, the ID rule is in place not to deter vandals, but to deter people who would donate money to GreX. UDP flooders? A simple google search of "UDP flooder" brings up at least 3 websites with links to cracker programmes that do what you mention. A cracker could go to an internet cafe and UDP flood to their heart's delight with those programmes. GreX just isn't an efficient cracking platform anymore. It is, however, a great teaching platform, as you mentioned. The extra priviledges could be given to students who would like to do more with UNIX.
Again, the fact that Grex is not an efficient cracking platform doesn't mean it isn't a potential cracking platform. I don't want us to be responsible for helping someone do something illegal. It's clearly a tradeoff: requiring ID hurts us in some way and helps us in others. We're arguing about the amount it helps us and the amount it hurts us, not whether it hurts us and helps us. THe person who sent Grex a stolen ID didn't get a chance to do anything with his membership privileges, because they were revoked as soon as I realized the ID was stolen. So the example doesn't tell us anything about what kind of people send in fake IDs. But, I think the answer is, not many people are willing to send fake or stolen IDs to Grex. And that's a good thing.
Nor are many people willing to use Grex as a 'cracking platform', but I bet most of the people who do that would also be willing to send in fake ID. Your contention that this is a disagreement about merely the degree to which things help or hurt Grex mischaracterizes my argument. I believe the ID requirement only hurts us, and that anyone willing to use Grex to do malicious things is going to be more than willing to send Grex fake identification. However, since most people don't seem to believe that, perhaps it would be a better proposal to 'delink' membership privileges from network privileges, allowing the latter only to those who have, at least in theory, had their identity verified by Grex.
I dunno Mark. This wasn't a problem until certain problem people decided to make it a "problem".
Re #30: 80% or more of the help requests I get (via "write help" -- and they became so common this summer I started making my habitual first command on Grex "mesg -h n") are asking for pointers on activities that either are or could be interpreted as cracking. (I include "how to set up an IRC bot on Grex" in "could be interpreted as".)
Regarding #21; It's absolutely neat! But that doesn't justify the ID requirement. Regardig #29; I suppose the real question is, how can you substantiate the claim that the ID policy does good, by preventing abuse? I think that it was Mary Remmers who once said that a photocopy of my NYC Public Library card, which pretty much just has a mag strip and says, "New York Public Library" on it, would be acceptable ID. But there's really nothing on it that would allow one to track it back to me. So, what's the point? In particular, that's a completely ineffective form of ID, yet meets the requirements, so the value of that ID is questionable, at best. But anyway, if the ID policy has never been used, then there just isn't enough data to say that it's really doing any good. It may be, but we can't say one way or another. We all seem to agree that it does some amount of harm, by discouraging at least some donators. I'll submit that that amount of harm is probably relatively minor: I think very few people have objected so strenuously. Now the question, however, does the potential for benefit outweigh the established costs? I imagine it does, but clearly others disagree. There's certainly no harm in discussing it. Which leads me to.... Regarding #31; Your anti-polytarp bias is showing. David can certainly be a git sometimes, that doesn't make what he's talking about right now of any less value. Theo De Raadt can be a HUGE git at times, yet you don't object to running his software, after all.
Am I the only one who is bothered by Steve's attitude torward legitimate member proposals?
No.
Git? lol. That's the first time I've heard an American use that word. In case you're reading this, Rane, I used the word "heard" METAPHORICALLY, ok?
(I got it from Harry Potter)
Re #33: Mary was mistaken about your library card. See ~aruba/idpolicy for the policy Grex adheres to in accepting IDs.
There is still the fact that Michigan State law requires that we keep and list of member names and addresses.
So you ask them for such; does Michigan State law require you to verify same? regarding #33; Okay. But an officer of the corporate told me othewise while she was an officer of the corporation. May I suggest, then, that future officers are briefed on such things?
Hmmm, I don't remember telling you such a card as you described would meet our policy requirements. Is it possible we were talking about library cards of a few years ago that tended to have a names and account numbers on them?
re 39: Glenda, can you cite the statute that requires Grex to keep and list member names and addresses?
Nathan - it's been quoted in a number of other coop items in the past, but I don't remember the number. It's part of a general law regulating nonprofits in Michigan.
Okay, I thought someone might have it handy, but here it is: MCL 450.2413: "The officer or agent having charge of the shareholder or membership records of a corporation shall make and certify a complete list of the shareholders or members entitled to vote at a shareholders' or members' meeting or any adjournment thereof. The list shall: (a) Be arranged alphabetically within each class with the address of each member or shareholder and the number of shares held by each shareholder." http://www.legislature.mi.gov/mileg.asp?page=getObject&objName=mcl-450-2413 I'm assuming Mark is said "officer or agent having charge of the [...]membership records", and that certifying the list means making sure it is accurate. If he requires ID to do so, then so be it.
By the way, what happens if this proposal passes and it is in violation of Michigan law? Is there a provision in the bylaws that cover such a situation?
Just to clarify: Anyone can make a donation to Grex. Cash in a plain envelope, sent to the treasurer, with a note saying it is a donation, would be placed in our bank account. The ID requirement is for membership.
re #44 Does Grex have a NOPP for members and would-be members so that they know their personal data (name and address) is available to inspection by any member or member's proxy at the meetings under 450.2413(c) and 450.2413(d)2? I'm fairly certain most members are unaware that their personal home address info is fair game for the rest of the membership.
re resp:33: I think it's reasonable to take into account when someone has been a harrasser of the staff and the general usership of Grex. I think resp:31 reflects the assumption, reasonably based on past behavior, that certain users including the author of resp:0 are untrustworthy. Scholar is one of 4 or 5 users on Grex whom I filter. Unfortunately he is a member now and can further harrass us all with "user initiatives". I will be predisposed to vote "no" on anything scholar recommends or asks for.
I don't find "user initiatives" as harrassment. These suggestions are lacking cynical tones and while they may be "old hat" to some, they show a genuine interest and should be given some attention.
re 46 Cash in a plain envelope sent by mail is illegal, just to clarify. re 48 Please take your accusations of harassment out of this conference. We are trying to have a serious discussion here.
It's not illegal to send cash through the mail.
The legality might depend on what country you live in.
It's certainly been used a number of times to send money to Grex. But I can't recommend it, because there's absolutely no recourse if the cash is lost in the mail.
Meet me at the Fleetwood, d00d
i guess i was wrong about the cash deal.
Regarding #41; Actually, you didn't. All you said was, "Cool about your library card" (Coop12, Item #123). Mark later said he probably wouldn't accept it. My bad.
hi sin^-1 (naftee) arcsin.
hi trig ; that was angular of you
You have several choices: