|
Grex > Coop13 > #357: Member initative: Getting rid of ID requirements | |
|
| Author |
Message |
scholar
|
|
Member initative: Getting rid of ID requirements
| 
Sep 1 20:01 UTC 2006 |
I am a member in good standing and this is a member initative.
The proposal is as follows: Members of Cyberspace, Inc. will not be required
to provide identification.
|
| 58 responses total. |
scholar
|
|
response 1 of 58:
|
Sep 1 20:08 UTC 2006 |
According to http://www.cyberspace.org/memfaq.html#whydoineedid , proof of
identification required because:
1. While we are very comfortable allowing anonymous users access to Grex,
we are not comfortable unleashing them on the rest of the Internet. It would
be irresponsible of the Grex administration to allow people we can't identify
to telnet through Grex to other systems, so we require ID from everyone we
allow to do that.
2. Cyberspace Communications is required by the state of Michigan to
maintain an up-to-date list of members. Implied in this requirement is that
we make sure no two memberships are held by the same person. So we require
ID to connect accounts with real people and make sure no one has the ability
to vote twice in Grex elections.
These reasons are invalid for a number of reasons:
1. It's incredibly easy to forge I.D. that would be accepted by Grex.
2. If someone wants to vote twice, they could just sign up their friend,
their spouse, their sometimes lover, or whatever.
3. Member verification is *not* required by Michigan law.
4. Many other organizations in Michigan, including Arbornet, Inc., do not
require I.D. from their members and do not appear to have had any problems.
Basically, the I.D. requirement does nothing to stop any of the problems it's
meant to stop, does not help us comply with the law, and inconveniences
potential members. It should be abolished.
|
scholar
|
|
response 2 of 58:
|
Sep 1 20:09 UTC 2006 |
I endorse taking this to vote.
We need five more endorsements.
|
tod
|
|
response 3 of 58:
|
Sep 1 21:38 UTC 2006 |
I 2nd this motion.
|
naftee
|
|
response 4 of 58:
|
Sep 1 23:02 UTC 2006 |
excellent proposal, scholar
|
scholar
|
|
response 5 of 58:
|
Sep 1 23:10 UTC 2006 |
By the way, my purpose in proposing this is to a) cut down on hassle and b)
get new members for Grex.
With the rate at which membership has been falling, it is in Grex's interest
to make becoming a member as easy as possible. I know of at least one person
who would sign up if the identification requirements were dropped.
|
nharmon
|
|
response 6 of 58:
|
Sep 2 00:00 UTC 2006 |
Don't forget, you want to help naftee become a member without making him
submit ID.
|
tod
|
|
response 7 of 58:
|
Sep 2 00:07 UTC 2006 |
Psst...paypal
|
scholar
|
|
response 8 of 58:
|
Sep 2 06:21 UTC 2006 |
Re. 6: I want to help all people become members without submitting ID.
Re. 7: They only accept Paypal 'verified' accounts, and it's a hassle to get
verified.
Also, a lot of people just won't use Paypal. And based on what I've heard
about Paypal, I can't say I blame them.
|
naftee
|
|
response 9 of 58:
|
Sep 2 16:51 UTC 2006 |
I don't use Paypal, and would gladly buy a Grex membership were there no ID
rule.
|
aruba
|
|
response 10 of 58:
|
Sep 2 23:48 UTC 2006 |
I would like us to have more members too. The ID requirements were set up
with the intention of making them easy for people to meet; that's why we
accept a plethora of different IDs.
It's true that it's possible to forge ID to become a member of Grex. It's
even happened once that I know of. (Well, someone sent an ID stolen from
someone else.) But, if someone does that, then they have committed fraud,
and can be prosecuted for it. If, on the other hand, we were to allow
someone who is unverified access to services which they used to do something
illegal, it is *we* who have failed.
I'm sure it's true that requiring ID from members has cost Grex money.
And it's certainly cost me a lot of hassle. I am also 100% certain that
requiring ID has prevented people from becoming members and using Grex for
activities that would get both them and us in trouble.
|
naftee
|
|
response 11 of 58:
|
Sep 3 02:19 UTC 2006 |
But you have to admit that now, in 2006, there are much easier ways to cause
trouble on the Internet without a GreX membership than it was when the ID
rule was created. A "cracker" would have to go out of their way to send you
a cheque or money order or whatever to get outbound access from GreX when it
is far easier to
use certain web proxies to achieve the same effect. I even welcome you to
suggest something that a "cracker" could do on GreX that he wouldn't be able
to do more easily elsewhere on the internet. Spamming ? Free e-mail bomb
sites are easy enough to find; ask Winn Schwartau.
Anyway, I promise not to use GreX for anything bad if I had a membership.
Would you take my word for it, instead of ID, aruba ?
|
nharmon
|
|
response 12 of 58:
|
Sep 3 02:21 UTC 2006 |
In god we trust, everyone else must show ID. :D
|
trig
|
|
response 13 of 58:
|
Sep 3 03:53 UTC 2006 |
totally unlucky.
|
scholar
|
|
response 14 of 58:
|
Sep 3 05:20 UTC 2006 |
re. 10: Given the ease with which one may forge ID that will be accepted by
Grex, requiring ID provides no more confidence in someone's identification
than just taking their word for it would. It does, however, cost Grex money.
|
remmers
|
|
response 15 of 58:
|
Sep 3 17:00 UTC 2006 |
(See Item 354, resp. 14 - resp:354,14 - for the rules governing voting
on member proposals.)
The issue is a bit complex because membership confers several different
tangible benefits:
(1) For US taxpayers, a tax write-off (since we're 501(c)3).
(2) Participation in governance (eligible to vote, serve on the board,
make proposals).
(3) Access to various outbound internet services.
I don't think I'd support an across-the-board removal of ID
requirements, especially as regards (2): We owe it to folks to make a
good-faith effort to ensure one-person-one-vote.
Also, being incorporated in Michigan means that Grex is subject to
certain rules regarding maintaing a list of member names and addresses.
I'm not sure what that implies about ID requirements.
|
aruba
|
|
response 16 of 58:
|
Sep 3 17:34 UTC 2006 |
It's a fallacy to assume that because the system can be beaten by a
determined person, it must not be doing any good. I'm convinced that
requiring ID prevents some people from using Grex in ways that will get us
into trouble. I'm sorry, Brett, I don't know the technical details, but I
do know that we have often had a lot of people pay for memberships $6 at a
time, just to use our internet services. I also know that during the period
when we accepted credit cards directly, we had several people become members
using stolen cards. So there are people out there who want to use Grex as
an anonymizer to do something they can't do without being in the internet
group.
Well, I admit my data is a few years out of date. Maybe no one wants to do
these things anymore. But I doubt it.
The argument, "There are much better platforms than Grex to use for cracking
systems, therefore we don't need to worry about crackers on Grex" is also a
fallacy. The point is that *if* we provide someone with the means to do
something illegal/unethical/obnoxious and *if* they do it, then we are
complicit. Whether or not they could have done it better elsewhere.
|
steve
|
|
response 17 of 58:
|
Sep 3 17:39 UTC 2006 |
Quite true. Grex is a platform that can be used for bad things. If
anyone doesn't believe that, please remember the problems we've had with
email, and why we had to turn off automatic outbound mail access for new
accounts. Today we see people running exploits on port 80 (usually Perl
programs) to attack sites, because we allow that port.
With fewer systems like Grex on the net, Grex becomes a target for
folks trying to do things.
|
cross
|
|
response 18 of 58:
|
Sep 3 20:05 UTC 2006 |
"systems like Grex" is relative. If you mean open-access Unix systems, that
may be true, but it's my impression that there is less interest in such things
than there once was. On the other hand, if you mean Unix systems period, then
the number of such things has exploded since grex first came online, and grex
is certainly not that interesting.
Personally, I'd like to see some current data driving the rationale for things
like the ID requirement. I see at least one counter-point that indicates that
NOT having such a thing works (mnet), but none so far that show that it has
ever done any good.
|
naftee
|
|
response 19 of 58:
|
Sep 4 01:55 UTC 2006 |
re 16
Give me one of those "bad things" that can be accomplished on GreX.
And wouldn't you agree that if a cracker found GreX to be adequate for his
needs, he would be smart enough to find a way to fake some sort of ID? Don't
forget that the more stringent you make your ID requirements, the more likely
it is that someone is going to say "screw it; it's only GreX".
I would also like you to give me an example of a cracker using GreX in a
malicious way who was eventually caught thanks to him giving his ID to gain
membership access. If there has not been such a case, then this ID rule
really is a "just in case" policy that is frankly not worth it anymore.
|
scholar
|
|
response 20 of 58:
|
Sep 4 02:34 UTC 2006 |
re. 15: Grex would still require the IDENTIFICIATION of members.
|
steve
|
|
response 21 of 58:
|
Sep 4 04:18 UTC 2006 |
Yes, a determined vandal could indeed make up false ID and send it in,
but the idea of having to do that is a repellant, such that, as far as I
know its happened only one time and the person using the false ID didn't
do anything with their account. As far as "bad" things that can be done
on Grex, it is primarily Perl scripts such as udp.pl which are either
udp flooders, or attacks on BBS's (I've seen at least three varients on
udp.pl).
Yes, there is less interest in systems like Grex now, since anyone
could create a small unix system of their own to play with. However
we still get people who use Grex to learn about unix, and at least a
dozen people in the last couple of months who've been doing C coding.
It suprises me that there are still folks who need to use Grex for
that kind of thing, but its one of the reasons we're here, so thats
neat.
|
scholar
|
|
response 22 of 58:
|
Sep 4 04:22 UTC 2006 |
No need to be 'determined'.
I'm sure I could whip up fake ID that would be acceptable to Grex in five
minutes.
The only thing the ID requirement seems to deter is donations to Grex, and
that's a shame.
|
steve
|
|
response 23 of 58:
|
Sep 4 04:26 UTC 2006 |
No, the ID requirement doesn't deter donations, scholar. Grex gets money
from the people who like Grex and "get" helping out, quite regardless of
what else they need to do. In that sense, Grex is like public radio--only
a small fraction of the users send in money. We can make it easier for
folks, like offering Paypal. Things like that help Grex out more.
I'll also point out that very very few people have ever complanined
about the ID requirement in the time that we've been doing this.
|
scholar
|
|
response 24 of 58:
|
Sep 4 04:28 UTC 2006 |
Really?
Aruba, who is the treasurer, has said in this very item that the ID
requirement has deterred donations to Grex.
Why do you doubt him?
|