An Initiative
To eliminate the identification requirements of membership in the
Corporation.
Be it initiated by the Members of Cyberspace Communications,
Section 1. Short Title
This initative may be cited as the "Membership Identification
Requirement Removal Initiative of 2003."
Section 2. Repeal of Previous Provision
Sections (1), (2), (3), (5), and (6) of Verification Policy adopted by
the Board of Directors on September 27, 1995 are hereby repealed.
Section 3. Office of the Verifier
(a) Within thirty (30) days of adoption of this resolution, the
Verifier shall destroy all copies of previously accepted
identification from members.
(b) (1) The Office of the Verifier is abolished.
(2) Section (4) of the Verification Policy adopted by
the Board of Directors on September 27, 1995 is hereby
repealed.
(3) This subsection shall take effect on thirtieth day after
adoption of this Initiative.
Section 4. Office of the Treasurer
(a) The Treasurer shall request from each Member, upon renewal or new
membership, an address of record be provided.
(b) An address provided in any form by the Member shall be considered
prima facie evidence of his address.
(c) Each Member's name, address, and term of membership shall be
submitted to the Secretary upon acceptance.
Section 5. Office of the Secretary
The Secretary shall keep the records of all Members up to date and in
order.
52 responses total.
Did you ever see "The Blues Brothers"? (movie)
(could we get a refresher on why there is a verification policy and on the arguments against having such a thing?) (as I understand this initiative, it would replace the current policy with a policy of accepting addresses as identification without verification. does this mean physical addresses or does it include other addresses, such as e-mail addresses? if it does include e-mail addresses, would a Grex e-mail suffice? wouldn't that be redundant?)
And should we accept addresses that are obviously fake? Who determines what is "obviously fake"?
As I understand it, the basic reason for the verification policy is so that we can identify the person or persons who use grex as a base of operations for attacks on other systems. I do not think the current system needs changing.
Nor do I. Recall that in The Blues Brothers movie Jake (or was it Elwood? ;-) gave as his address for his drivers license Wrigley Field.
I think the major effect that the ID policy has is to discourage some people from becoming members. I don't know how big that pool is, but I am pretty certain that among the pool are almost all the people who would abuse the privileges that members get. When Grex accepted credit cards back in 2000, there were a number of times when credit cards were charged back because they were stolen. That has happened only once in the 3 years since we dumped direct credit card processing and started using Paypal. My conclusion is that there are people out there who would like to buy memberships and use them for illicit purposes, and we have an interest and a responsibility to try to prevent them from doing so. Now, this is a tradeoff, because I'm sure we discourage some legitimate donors with our ID policy. I'm fairly certain, though, that we also save ourselves a lot of headaches. I can think of a couple things we could do short of abolishing the collection of ID altogether. One is to accept a Paypal "verified address" as valid ID. I have never gone through the process to get a verified account with Paypal, so I don't know exactly what's involved; perhaps someone who has done it could tell us. All I found was this page: /----------------------------------------------------------------------\ | https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/verification-outside | \----------------------------------------------------------------------/ which says you need to prove you have a checking account (if you're in the US) or a credit card (if you're outside the US). Another thing we could do is do more to encourage people who don't want to send ID to send donations anyway. They wouldn't become members, but they would be supporting the system. Right now we have a page about that: /------------------------------------------------\ | http://www.cyberspace.org/grexmart/donate.html | \------------------------------------------------/ but there's not much to it. We could promote this option a lot more. It's true that the net has changed a lot since the ID policy was adopted, and people are much more wary about giving out ID (I know I am). So I wouldn't be at all surprised to learn that this holds some people back from becoming members. I would caution everyone, though, not to assume that removing the ID policy will result in everyone who doesn't like it becoming members. A while back a number of people complained that they couldn't be bothered to write a check to Grex, and why didn't Grex accept credit cards? But when we did start accepting credit cards, many of them found a different excuse, and never did become members.
If you link your bank account to PayPal, the confirmation process is pretty simple: They make two small (between $0.01 and $0.99) deposits to your account. When you get your bank statement, you go to PayPal's site and enter the amounts of those deposits. If the amounts match, PayPal takes this as evidence that the account is yours and the mailing address associated with the account is correct.
This response has been erased.
*cough*FUD*cough*
I hope those whose expressed doubt about my feelings with regard to jp2's benevolent interest in Grex are reading this...
I now send my membership contribution, and and any donations I make to Grex, via Paypal. I would probably be a member even if I had to mail a check, but would be slower about sending the money. I'm more likely to donate now than I used to be. If there was a "no ID required, non-voting membership" link on the WWW page, right next to the current link to contribute for a membership, I'll bet some people would use it. BTW: if there were other options on that page, such as "membership + $10", I would have used one earlier this week when I renewed my membership. I know using Paypal costs Grex some money, and I would have happily contributed a bit extra to cover that cost. Instead, the membership amount of $60 was hard-coded into the link. I didn't have the option to add extra money. I'd have to go back and make another contribution to send any additional money. I'd like to suggest membership +$10, $25, $50, and $100 options be added.
The problem with a "no ID required, non-voting membership" option is that it ignores the other reason we require ID. I think that a "no-ID-required contribution" option that carried no privileges would be reasonable. It might bring in some additional income, although I don't know how much.
Personally, I have sent extra money to cover the Paypal fees that are charged to Grex. IIRC, you can send any amount you like via Paypal, though evidently jep in resp:11 must've used an some URL that I'm not aware of.
I think both John and Mickey are correct - you *can* send any amount via paypal, via http://www.cyberspace.org/grexmart/donate.html. But the link at http://www.cyberspace.org/member.html doesn't allow you to change the amount. I agree we could do a better job with the links. I think John's ideas are good ones.
This response has been erased.
Oh for Christ sake, Jamie, no personal information was ever available online and you know it. You're referring to the fact that I have data on my machine, and my machine is sometimes connected to the internet. That doesn't mean that the data is available over the net! I'll bet your bank has numerous computers which are both on the internet and capable of accessing your banking records. Does that mean your bank is irresponsible? Why don't you go stand in front of it and hand out fliers complaining that they've lied in their disclosure statements. Let us know what happens.
This response has been erased.
jp2's a millionaire!
re 16:
If you're running Windows and aren't *very* careful about applying
security patches promptly, the answer is probably that any data on your
computer is reasonably easily accessable whenever you're on the Net.
Banks and the like, which have historically relied entirely on firewalls for
protection of PCs, have had some significant problems with this recently,
since a lot of the recent Windows worms have had no trouble at all getting
around firewalls.
The e-mail I received, letting me know it was time to renew my membership, had a link to Paypal which had a hard-coded $60 in it. I just used that and didn't look beyond it. Using the link was as simple as it could have been. Adding options would complicate matters, and I don't know if it would be worthwhile overall. I just know if other options were available, I'd probably have used one of them.
re resp:12: I'd overlooked the perks of membership. (-: I agree, a no-ID membership would have to be without outbound Internet privileges. I think it'd be worthwhile offering that as a contribution option.
Re #19: Steve is referring to Windows 2000ff, whereas I am running Windows 98, which is much stupider and therefore less exploitable. And I am up to date on patches. I don't want to do anything with the data that might compromise it, so if there is a real issue here, I'll do what's necessary. But I bristle at being called a liar for saying the data "is not stored on the net". It's not, and never has been.
Re resp:17: If you're hoping to only deal with companies that never put your data through a Windows PC, all I can say is, "good luck". Re resp:22: Windows 98 doesn't run most of the services that have been compromised on NT, 2000, and XP, but it is vulnerable to some Internet Explorer and Outlook Express exploits. (Note, too, that Microsoft is dropping support for Win98 soon and will not be providing any more bugfix updates.) The fact that you don't have any services running doesn't help you when someone takes advantage of an IE bug to install BackOrifice. There are at least three bugs in IE that have not been patched yet and will allow a rogue website to install pretty much anything on your computer. My advice at this point is for Windows users to avoid IE and use something else, like Mozilla, Firebird, or Opera. I think jp2 does have somewhat of a point, but the risk would be easily mitigated just by keeping the membership info on removable media and only having it in the computer when you need to work with it. I would also hope you're only storing name and address info, not sensitive stuff like credit card numbers, driver's license numbers, or SSN's.
We don't have any credit card numbers or social security numbers. We do have drivers license numbers. I don't use Outlook Express and only use IE when Opera and Netscape won't work on a particular site. (Try using Opera on microsoft.com sometime - you get a teeny-tiny font that's illegible.) I think putting the database on a floppy sounds like a good way to have data corruption problems, and it's not a good solution for large databases. I guess I could put it on a keyring data chip, and keep it with me at all times, but that seems a little paranoid to me.
My concern isn't that you have it on your person; I'm not worried about physical attacks. I'm just suggesting that if it's not accessable on the computer when you don't need to work with it, that greatly reduces the window of time during which someone can gain access to the data.
Mark, please don't let jp2 rile you. It doesn't seem to be his goal to help Grex with anything. It seems to be his goal to pretend he knows everything better than everyone else. Even if it would be a minor improvement to security, I don't think anyone else expects you to go to heroic efforts to protect Grex data. Just do what anyone would do in these times; take ordinary, normal precautions and if a problem comes up some day, we'll all deal with it. If Jamie can post a piece of data from Mark's files about Grex (or e- mail it to Mark), then I'll think he's uncovered a problem. Otherwise, I'll think Jamie is just trying to stir up trouble where there is none. Again.
(I'd like the discussion to refocus on the initiative presented in resp:0 and how modification of current policy may or may not benefit Grex. I don't consider the security of gathered information to be directly relevant to this discussion because even the initiative as currently worded would require some information to be gathered.)
This response has been erased.
Oh.
.hO
Maybe I wasn't clear, Jamie: personal data about members is not available on the net, and never has been. I doubt your bank can claim as much.
This response has been erased.
This response has been erased.
What was it I said that made you think data was stored online?
I hate to turn this into an argument about definitions, but it really depends on what you mean by 'stored online'. jp2's argument is that if the computer the data is on is ever connected to the internet, the data is 'stored online'. I assume other people are arguing that the data is not 'stored online' unless it's on a permanently-connected system. I suspect the actual intent of the wording would be more accurately expressed as, 'the data is not stored on Grex.'
This response has been erased.
This response has been erased.
Re 35: It may be an argument about definitions, but I don't think the issue is (or is only) occasionally-connected versus permanently-connected. If the data were on Grex, say, there'd be great reason for concern not only because it's online almost all the time, but also because it runs lots of programs which let outside parties initiate logins & other connections. That's not likely to be true of Mark's PC. And it's a really big difference. TBH, I don't know what software Mark uses for Grex's books (& what hardware is required), but I have to wonder whether Grex (or some donor) mightn't find it worthwhile to provide the treasurer - not the current person, but the office - with (say) an older laptop which could hold such data and never be connected, period. That would, at least, reduce the likelihood of software compatibility issues when the treasurer changes - just pass along the computer along with relevant paper stuff.
Well, personally, I'd rather not have to turn on a separate computer every time I want to do something Grex-related. But being able to pass it on to the next treasurer is an advantage, I agree. (I also don't have room to operate two computers at once, so starting one would likely mean shutting down the other.)
24 about Opera and tiny text size, do you have Opera 7? It lets you specify minimum font size, or display in 'text' mode with all fonts the same size, or in accessible mode with all fonts large, or zoom up to 400%. See View, Styles, User mode.
Thanks Sindi - I'm still on Opers 6.05, so that gives m incentive to upgrade.
I upgraded from Opera 7.1something to 7.3something and it fixed a problem I'd been having with eBay.
The latest (as of yesterday) was Opera 7.23. Opera 7x also lets you specify to only accept requested popups. While I was downloading it 5 popup adds accumulated behind the download window all trying to sell me something. I used 6 to download 7. Does Redhat 7 use glibc 2.2.x? Opera 7 is not available for older linuxes than this and I have glibc 2.1.3.
This response has been erased.
You can either choose text ads or set Opera not to automatically display images (at which point you don't see any banner ad at all). In Opera 6 you could not get rid of the graphical ad banner by setting it to 'no images' but in 7 you can. Or you can hit F11 for full-screen without any ad banner, or bars, or menus. You can also remove the icons from all the bars, and remove most of the bars, and get 80% of the page usable even at 640 (as opposed to 50% before you tinker with it). You can run opera in monochrome (but it won't display any images if you do).
jp2 is absolutely correct there's a non-zero security risk in what aruba is doing. There is also a security risk for using a telephone, receiving US mail, and using the bathroom. Most of us accept much greater risks such as driving an automobile, picking change up off the sidewalk, or eating food prepared by total strangers. Other familiar risks many of us are willing to assume include sleeping, physical intimacy with people who are statistically more likely than total strangers to kill us, and oral consumption of ethanol for recreational purposes. I submit that sharing trivial identity data with aruba is much safer than most if not all of these other risks.
jp2 and mark: signs of the time.
46: you don't think we should do things to reduce risk where possible and reasonable?
I believe you may be confused about "risk" and "reasonable". If Mark were to do things entirely using paper & pencil, then there'd be an increased risk of data processing errors. If he were to do things using a computer that weren't capable of going online, then there would remain a risk of transcription errors. Either of these solutions involves increased hassle and nuisance for him, with decreased value to grex - if we were to insist he turn his brain off, he might reasonably conclude we don't need him as treasurer and resign. That would definitely lead to bad things on grex. The position of treasurer on grex is critical to the smooth running of things, and Aruba has been one of our best and most patient treasurers ever. It's unlikely his successor would be nearly as good, especially if we insist on hobbling our treasurer. Right now, while windows 98 is hardly ideal, it's old & stupid enough to be "acceptable". If Mark were to upgrade to XP, we'd have a problem, but I think Mark is at least as eager as we all are to not go there. Someday, in the future, Mark probably will want to upgrade, and we'll have to negotiate as to what happens then. There are lots of possibilities today, and surely there will only be more in the future.
I'm not sure why Grex submits to being held by the balls by a whimful hand.
Re resp:42: Must be 7.23 that I upgraded to, then. Re resp:44: True. I put up with the banner because Opera is the only browser that isn't unacceptably sluggish on my 233 MHz Pentium laptop. I'm not sure what Opera is doing right that Mozilla/Firebird did wrong, but there's a big difference.
TROGG IS DAVID BLAINE
You have several choices: