|
Grex > Coop8 > #100: Do Grexers have the right to know - vedagiri | |
|
| Author |
Message |
| 25 new of 88 responses total. |
scg
|
|
response 25 of 88:
| 
Aug 4 06:09 UTC 1996 |
kerouac's program, possibly without the logging feature, sounds like something
some people might like using. I don't think I'd use it, but there are lots
of programs here that I don't use. It's not worth my time to write something
I don't really care about, but if somebody else wanted to write soemthing with
that kind of interface I wouldn't have any objection to installing it
(assuming it was fairly well written and didn't have any of the security or
system load problems that would normally keep us from installing something.
|
srw
|
|
response 26 of 88:
|
Aug 4 06:10 UTC 1996 |
I'd like to point out to kerouac that he should probably abandon (for
technical reasons) any alternate strateg for finger that involves further
interactions between client and server. Finger is a standard protocol, as janc
pointed out, and part of that protocol is the fact that the client send one
blast of data to the server,and the sever sends one blast back, and
disconnects.
That said, finger servers are quite configurable, and I have seen some
alternate ones that report various other things than you are used to seeing.
I agree that it would surprise fingerers to find that their action was
traceable. Jan said that. It is for that reason, that I can defend my original
statement that it would invasive to divulge logs for finger publicly.
This is a judgment call though. It is equally valid to say that the server
is entitiled to log and retain information gleaned from the interavtion, in
exchange for providing the service. I lean away from this POV here on Grex,
because of the normal expectation of fingerers.
When it comes to httpd, it shifts more in this direction. There is a lot of
information that a server can collect about those who hit web pages. Some
people are bound to think that collecting it and using it is invasive of their
privacy. Here on Grex, we consider the httpd logs as private, and don't reveal
them. Other sites differ, so be aware.
|
vedagiri
|
|
response 27 of 88:
|
Aug 4 09:18 UTC 1996 |
Regarding janc's response that finger queries are relatively
anonymous ----
I took the trouble of getting the RFC for the finger user information
protocol from ds.internic.net (RFC 1288, D. Zimmerman).
Below are sections from that.
The following describes what SHOULD means in the RFC:
> * "SHOULD"
>
> This word or the adjective "RECOMMENDED" means that there may
> exist valid reasons in particular circumstances to ignore this
> item, but the full implications should be understood and the case
> carefully weighed before choosing a different course.
The following mentions about logging finger queries.
>3.2.7. Audit trails
>
> Implementations SHOULD allow system administrators to log Finger
> queries.
When the protocol specifies that logging SHOULD be allowed by
implementations of finger, it implies that finger queries can be
traced by the sysadmin if wanted. So there is no anonymity in a
finger query at the sysadmin level.
So what is the real issue in stopping that information
at the sysadmin level ? Why shouldn't the info be provided to
users ?
If Mary feels that her privacy should be guarded while
she fingers someone, then the finger ajax example someone gave
suits her concern. She can decide if she really wants to continue
finger.
|
vedagiri
|
|
response 28 of 88:
|
Aug 4 09:31 UTC 1996 |
On second thoughts , brighn's Gollygee example needs a careful thought. What
about adding one more feature . All people who are paranoid about their finger
query being logged are given an option : "This person logs finger queries.
Do you want to continue..." (this is what Rob Argy suggested). In addition
we will ask another question. "Do you mind your query being logged ?". If the
fingerer responds with yes then it is a fair deal.
<Mary, you cant say no to this :)>
What do grexers think ?
|
dam
|
|
response 29 of 88:
|
Aug 4 14:52 UTC 1996 |
I think some people are too concerned about what other people are doing, or
what other people see them doing. This finger discussion is a perfect example
of it - one set of people who is paranoid about who is accessing information
about them, and another set of people who are paranoid about people knowing
that they are accessing information about someone else. Is this the same set
of people? I don't know.
I think it would be an extremely challenging task to make Grex such a private
place that you could do whatever you want without other people knowing what
you were doing.
should 'ps' be disabled? you can write a small script to watch a person, a
pty, a tty, or everyone, and log every command they execute.
what about party? if it isn't a private channel, people outside of party can
see what is going on, and the people in party don't know!
things like this have already been 'closed off', such as mailq, which let you
see who was sending mail where, while it was waiting in the queue. Well, if
someone wants to, they can still do this when they are logged on using that
'ps' thing I mentioned a moment ago.
So, to the original topic, I think Grex users have a right to know who is
fingering them, but should be responsible for dealing with it themselves.
I also think that making finger 'interactive' is impractical, in particular
from an access from the internet perspective.
|
selena
|
|
response 30 of 88:
|
Aug 4 14:59 UTC 1996 |
Well, I don't have anything in my finger file that I don't mind everyone
knowing, because I know that I have no idea who'll be reading it. As a
matter of fact, I prefer people to finger my plan before they talk to me,
because then they have some idea of who I am, and what to expect.
So, I'm not sure I understand what all the hullabaloo is, but, if someone
wants to know who's read their plan, I don't really see any reason why
they shouldn't be allowed to.
|
brighn
|
|
response 31 of 88:
|
Aug 4 16:20 UTC 1996 |
There is much information that sysadmin has access to, if desired, that
clearly shouldn't be made public. Sysadmin has certain responsibilities that
supercede some rights to privacy.
As far as fingering, if there's an opportunity for the person to decline being
logged, no problem. IMHO, I doubt many people will say "Sure, log me"
|
pfv
|
|
response 32 of 88:
|
Aug 4 16:37 UTC 1996 |
Hmmm...
1) Finger protocol is std, rfc-defined (re 2 good postings)
2) Syslogs are generally for sysadmin/root use - for good reason
3) Easy to deny a finger: hide/delete the plan
I'd guess that this pretty-much _STILL_ comes down to a couple points:
1) It would be a new protocol, probably only on grex-local
2) It would mean *someone* has to write it
3) It means more space bound up in duplicated/washed logs
4) It seems to embody elements of email and finger
Personally, I rarely finger folks here on grex - either I know them or
don't care either way - some of them know me and that's fine, too.
OTOH, I think I'd not enjoy be 'logged' by finger-itself like some
randomly collected marketing data.
A new program for folks that are UNIX-shy..? Fine. Options are always
good, but this also implies that I must support the new program - even if
I don't use it.. Unless the program looks for a specific file that I won't
bother using.
|
omni
|
|
response 33 of 88:
|
Aug 4 18:38 UTC 1996 |
I wrote my .plan to be read. There are a lot of things about me that I don't
reveal, or will never reveal. My sister, OTOH, declined to have a .plan and
consequently, no one knows anything about her. No biggie.
Too much regulation in anything is bad. Let's not bog grex down with a
useless program that no one likes. vedagirl, I'd suggest that you re-write
your .plan file, or make an announcement that you would like to make some
friends and invite any and all to send you e-mail. Who knows what will happen?
That is the exact way that I met freida, and today. we are great friends.
|
omni
|
|
response 34 of 88:
|
Aug 4 18:39 UTC 1996 |
Actually, freida sent me e-mail, but the fact remains that we are very good
friends.
|
kerouac
|
|
response 35 of 88:
|
Aug 4 19:12 UTC 1996 |
I agree with a previous response...as long as users are notified that
someone is logging their !fingering and haved the option of
discontinuing rather than revealing themselves, thereshouldnt be
a problem. Grex should be striving for as close to full disclosure as
possible without breaching security. 99.9% of people here
likely have nothing to hide in their plans and dont care who reads them.
The only reason people would care is pure paranoia and that shouldnt
be a considration.
|
selena
|
|
response 36 of 88:
|
Aug 4 21:47 UTC 1996 |
NO, Richard. Full disclosure is unconcionable. *Optional* full disclosure,
the system we now have, where you either have a .plan, or you don't, is
what grex should strive for.
And, what do you know? It's already here.
|
mdw
|
|
response 37 of 88:
|
Aug 5 00:42 UTC 1996 |
Of 493 remote finger requests in the past 19 hours, only 172 had remote
user information. The finger protocol includes a "forward" feature that
remote users could use to hide their identity, even if their ISP would
normally send us this information. On grex, we don't log any
information on what people finger. We (staff) are only interested in
people at remote sites who might be abusing the link; not what they're
looking at.
|
vedagiri
|
|
response 38 of 88:
|
Aug 5 08:15 UTC 1996 |
To the question of paranoia -
People already have an option
(.plan / no .plan / bogus .plan).
To the issue of a non-standard finger client
If it is going to be a local grex-only finger command, the remote
finger queries are not going to be affected in any way. We are not altering
the finger protocol. We are thinking of an alternate finger interface
(local to grex). It could be a script over the current finger command.
I think this is a trivial script to write (Pardon me for being so callous,
Small work is work too...I agree).
To the issue of abuse -
If it is possible then they are already doing it.. !
|
pfv
|
|
response 39 of 88:
|
Aug 5 09:01 UTC 1996 |
re: 38
Same story - Different day..
You want a program or script, then write it or find an author.
You've already been informed that some of the data is kept around,
but in no case all the data.
Exactly where in the above statement(s) are you unable to read and
understand what has been said?
Sheesh... You want the goodies and you want someone else to write
them AND you are a majority of one.. Get a grip, ok?
|
vedagiri
|
|
response 40 of 88:
|
Aug 5 09:35 UTC 1996 |
re pete's response #38 -
Please tell me if i can write the following in Bourne Shell.
#sh
poll_finger_hit()
{
# The BruteForce method
# _____________________
# list all the processes on the system
# search for all fingers - I discover this is worse pete,
# I get a list of who fingers whom !
# search for fingers with my name
while ( 1 )
do
ps -aex | grep finger | grep vedagiri >> finger.hits
done
}
# start the polling in background
# the finger.hits file will contains the log
# read it at leisure, vedagiri...
poll_finger_hit &
# It might not be able to trap
# all the finger queries but will surely give me some output
# I am not very comfortable at scripting,
# and the above is proof of that. What will happen
# to grex if people start writing home brew scripts
# to achieve their ends.
# This is not what I want pete, *really* !
|
vedagiri
|
|
response 41 of 88:
|
Aug 5 09:59 UTC 1996 |
Sorry about the above response. If this is really wasting all our time we will
stop this *now* ...
|
vedagiri
|
|
response 42 of 88:
|
Aug 5 11:07 UTC 1996 |
Just because finger was designed the way it is today doesn't mean that
We should have our hands tied and just keep watching it. Change is the only
permanent thing. I am running a campaign for this item through my .plan file.
I will bring in more people who think in similar terms. Regarding #40 (my
resp)
It was emotional.. After all what are these conf.s for ?
|
vedagiri
|
|
response 43 of 88:
|
Aug 5 11:33 UTC 1996 |
The script in #40 has a syntax error : while ( 1 ) should read as while test
true.
|
remmers
|
|
response 44 of 88:
|
Aug 5 12:29 UTC 1996 |
The script in #40 would be a humongous load on Grex, methinks.
But to answer your question toward the end of #40, people are
already running resource-hog scripts on Grex to achieve their
ends, so this is not some new problem that we would be facing
if your wishes aren't catered to. What happens is that when a
staff member notices, the person is asked to stop doing it.
|
vedagiri
|
|
response 45 of 88:
|
Aug 5 13:36 UTC 1996 |
pete's response asking me to write a script if i really needed it that bad
triggered all the above responses. I wont run such a script on any system.
But when pete says "Buddy, the logs are there, the shell is there, you are
there,... Get your own way of figuring out", I can't really go out and figure
it out myself. (as in #40). We are discussing whether it is right to expose
certain parts of the finger log to users. I am not asking for adhoc queries
on the log file like
"Who fingered user pete ? " | "How many of 'em were females ?"
I am going to ask :
"Who are the people who wanted vedagiri to know that they fingered him
?".
It involves just me and a person who has agreed to finger logging.
If, i repeat *if*, we can afford to give the person who was fingered the
information he requires, without overloading grex with too many processes,
log space and without compromising on individual privacy or system security
there is no reason why this shouldn't be provided.
|
dam
|
|
response 46 of 88:
|
Aug 5 16:33 UTC 1996 |
Does this OS have a ACL type system something like VMS has?
|
omni
|
|
response 47 of 88:
|
Aug 5 17:13 UTC 1996 |
I don't like a lot of regulation, and I don't want you to turn grex into
a police state, vedagirl. As a rule that I adopted long ago, I never hit on
any females for the purposes of finding a date, or otherwise. I practice good
netiquette, and I would hope others do. Unfortunatly, there is a small but
vocal group that does not, and because of them you're willing to slap a
regulation on the 99% who doesn't need or want it.
|
remmers
|
|
response 48 of 88:
|
Aug 5 18:22 UTC 1996 |
re #46: No.
|
remmers
|
|
response 49 of 88:
|
Aug 5 18:33 UTC 1996 |
Re #45: I think the result of implementing what you propose
would be that people would use finger less, since they wouldn't
know what they were setting themselves up for. As others have
pointed out, if you want to make friends here there are more
direct and appropriate ways of doing so that are not invasive
of privacy.
|