|
|
| Author |
Message |
| 25 new of 183 responses total. |
scg
|
|
response 50 of 183:
| 
Mar 28 13:58 UTC 1995 |
But I would imagine that no matter how fast an Internet connection
Grex gets, it will always require verification of users to use outbound
telnet and the like. Just because somebody else is doing something
doesn't mean it is the right thing. Grex (and Metronet too, for that
matter) has the responsability to know who it is letting out onto the Net,
so that if somebody sends mail to staff saying that they've been hacked by
somebody coming from Grex, staff will know who the person is.
Metronet does a number of things to show that they don't know what
they are doing, including a security hole that I mailed them about several
months ago and and that still hasn't been fixed. Metronet is a really
neat system in terms of what it's intended to be, and I wish there were
more systems around with that kind of intentions, but Grex is fortunate to
have a lot of very compitent people here, and we shouldn't be basing our
policy decisions on what's done on a system where the people don't have
much of an idea of how to run it.
Being verified for Grex does not put you in any danger. All it
does is let whoever our verifier is know who you are, and unless you do
something *really* bad, nobody else will have to see it. Unless you're
planning to do something destructive, you have no need to worry.
|
selena
|
|
response 51 of 183:
|
Mar 28 16:43 UTC 1995 |
But, what about the right to see the list of members, as mentioned
by aaron? The list is NOT safe!
|
rcurl
|
|
response 52 of 183:
|
Mar 28 19:30 UTC 1995 |
Well, lets consider adopting a policy to make all personal information
held by Grex *confidential* (not including login ids and information
in individual .plans). Then it would only be accessible to members,
and then only by order of the circuit court. Are there any good reasons
to either do this, or not do this? I can think of more of the former
than the latter. The lists would have to be available to Grex
"administration", though that could be narrowed to staff, officers, and
others specified by the board.
|
ajax
|
|
response 53 of 183:
|
Mar 28 20:43 UTC 1995 |
It seems like that's Grex's current unwritten policy. If codifying it
in writing would make a difference to selena or others about sending ID,
it sounds like a good idea.
One change I'd suggest though, is to only specify that personal info
mailed or non-electronically delivered to Grex will be kept confidential.
A lot of stuff people put on-line is susceptible to general system snooping,
at the very least by hackers. I think a policy that implies privacy for
mail or personal files on Grex is optimistic...Grex should just try to do
its best at security, but without any promises.
|
sidhe
|
|
response 54 of 183:
|
Mar 29 19:00 UTC 1995 |
Odd, I thought I had put both the login and the password for
metronet awhile backk.. oh, well.
|
srw
|
|
response 55 of 183:
|
Mar 29 21:08 UTC 1995 |
I guess I missed it.
|
steve
|
|
response 56 of 183:
|
Mar 31 22:00 UTC 1995 |
Selena, the list is safe. I think that if we were taken to task,
we'd probably go to court over it, to prevent its dispersion. At
that point, if the court *ordered* it, we'd have to release it. But
guess what? Thats always true about anything we, or anyone else
does. If a judge orders it released, then we have to. The same
goes for the Ameritech AMA records which contain records of that
phone number you are using to contact Metronet, down to the closest
second. (Actually, phone data is *much* *MUCH* less secure. There
are already numbers that *automatiically* give out the CNA (customer
name & address) data on a console if you call that number. Domino's
and Ameritch are working on something called "950" service which does
just that).
So, anything in the electronic world is subject to scruitny,
for better or worse (I believe it for the worse). What I'm getting
to is this: if someone is concerned about their privacy, Grex is
one of the *last* things to worry about. Your cars license plate,
drivers license, and SSN had better be hidden from everyone, because
any of those can be used to garner a lot of information about someone.
It's been said up above, but I'll add a few more thoughts about Grex
wanting/needing identification. One of the interesting things, or maybe
I should say annooying things about working on the Grex console is that
the console gets "syslog" messages, which go into a log file (several
different ones really) indicating various things (problems, special
things, etc). One of the things that happens when a non-member tries
to perform some outbound-IP access is that the console user sees a
"connect: Denied access to uid: xxxxx" message thrown on the screen,
crashing onto the screen, messing up the screen for anything else that
might be running on the console.
The interesting part is how many people get accounts here on Grex,
*only to immediately attempt to get back out on to the net*. This
doesn't happen occaisonally, it happens more than a dozen times a day. I
know because at one point I dug through the logs, trying to see just how
often it happens. It happens a LOT. Now, think about it for a sec:
these people already have access to the net, somehow, else they
wouldn't be telnetted into Grex. No matter what, they had the ability
to telnet here, yet they're trying to establish yet another conneciton
onto the net, to get back out.
There aren't many good reasons for this. Telnetting to a telnet
session to a telnet session has a number of undesireable effects,
like extra lag time for every character that you type, among other
things. But it does have the interesting effect of making it one
hell of a lot harder to track down someone who's just deleted 4G of
data at a little college in Mississippi, whose people didn't
understand how to protect themselves and just got royally screwed
because of it!
In asking for ID, we have repelled the vast majority of people
who'd like to use Grex as a stepping stone on to some other system.
Have we protected ourselves perfectly? No, I don't think so. But we
have, to my current knowledge, not had someone yet get a membership here
only to use Grex for neferious purposes. Most of the "bad" people try
telnetting from a new system they're on, and then just leave when they
find out that they can't. Having to provide ID is too risky: too much
bother, too much chance that they'd leave a real trail.
Grex needs to be *really* careful about all this. *There are people
who are HORRIFIED THAT WE EXIST IN THIS OPEN FORM THAT WE ARE*. Let
me state this again: there are people out there who think we are *evil*
and stupid for letting unauthenticated accounts have email access to
the net. THERE ARE PEOPLE OUT THERE WHO WOULD RATHER THAT GREX NOT
EXIST. Same for M-Net and all the other systems that let people do
things without a ton of ID presented before doing anything. These
people annoy me. I don't like them.
If Grex were open, and allowed anyone to telnet/FTP/? out
from here to wherever, we'd be screwed, simple as that. Depending
on who/what Grex "bothered" or "hurt", we'd be royally screwed.
I for one, don't want to see that. I want to see as simple a system
in place as we can have, that presents as minimal a burden onto
people as possible, yet that also protects us. Asking for some
way to get back to the person if something happens is a reasonable
thing to do. But don't think for a second that its the people who
give over the ID that we're protecting ourselves from; it is the
people we never see because we ask for ID that we're protecting
ourselves from.
There is the question of "anonymous" members on Grex. I support
that idea, and I have an idea on how we can implement this. If
someone wants an anonymous membership on Grex, they can talk to
any board or staff member, meet with them FTF and give ID physically
so it can be inspected. That information is written down and
sealed in an envelope, along with the staff/board person who did
this. That sealed envelope is then given to the treasurer, with
the account name written on the outside of the envelope. The
treasuer then puts the expiration date on the envelope; if
the anonymous member drops their membership the envelope is
destroyed.
Why a physical meeting? Becuase of the much greater chance
of fraud. If someone really wants an anonymous membership, they
need to be able to talk to some staff/board person, in person.
This is a potential Pain In The Ass for the treasurer, so we
need to state that this is only for the *rare* case, and if too
many people start doing this we might have to stop simply becuase
of the lack of time that board/staff has for all the things already
swamping us. But it does give Grex the ability to deal with anonymous
users, yet protect itself.
|
ajax
|
|
response 57 of 183:
|
Mar 31 23:00 UTC 1995 |
Just a comment on people telnetting here and trying to telnet out: a
good reason I can think of, besides hackers covering tracks, is that
people who telnet in may have done so through a gopher, which doesn't
allow unlimited telnet, but merely telnets to a few selected systems
like Grex. This is the reason I sometimes telnet both to and from Grex.
|
popcorn
|
|
response 58 of 183:
|
Apr 1 04:58 UTC 1995 |
It's interesting, too, about telnet, because when you just type "telnet"
Grex runs a wrapper script that tests to see if you're a member or not,
and, if not, it displays a message explaining why you can't run telnet
and it exits. If you are a member, it goes ahead and runs telnet.
Everybody who generates the messages STeve is talking about must be
using some other way to run telnet, rather than going through the wrapper
script.
|
nephi
|
|
response 59 of 183:
|
Apr 1 05:28 UTC 1995 |
I completely agree with Steve's reasoning. We are not trying to
protect ourselves from the people that submit ID. We may not even
be trying to protect ourselves from the people that wouldn't give
ID. We are trying to protect ourselves from the people that would
shut Grex down for letting people damage their systems.
|
mdw
|
|
response 60 of 183:
|
Apr 1 09:51 UTC 1995 |
The people who get that may not be trying telnet at all, but finger or
some other service that tries to connect.
If I understand Rane & Aaron aright, the "envelope" trick won't help for
voting membership rights. All any member would have to do is claim they
wish to verify there aren't any fake people on the membership roles, and
that they need the real name & address information to verify that each
voter is in fact real. No judge is going to block that, so bingo, end
of privacy!
|
rcurl
|
|
response 61 of 183:
|
Apr 2 07:10 UTC 1995 |
The request might still be blocked if it can be shown that that member has
an ulterior motive. Some case histories on how those provions have been
used would be interesting (what one pays a lawyer to know, or find).
|
adbarr
|
|
response 62 of 183:
|
Apr 3 02:23 UTC 1995 |
I'm not sure I understand al this, but I am sure I need to. Where is
the "dummies" page? You all must have patience to give away, I hope,
when I ask questions. Two quick notes - Steve Andre' - mdw - popcorn -
1. I want to have some basic understanding of what you are saying. Can
you elaborate? without compromising secrets?
2. nephi - have you sold "Floof Bork Zingity Bleah ? Is it for sale?
Rent? In the public domain?
|
nephi
|
|
response 63 of 183:
|
Apr 3 03:00 UTC 1995 |
Floof Bork Zingity Bleah (c) is not for sale, but I'm willing to
rent it. 8*)
|
steve
|
|
response 64 of 183:
|
Apr 3 03:19 UTC 1995 |
Arnold, can we elaborate on what? I want everyone to understand
what I'm saying. I just don't understand your question, thats all. ;-)
|
popcorn
|
|
response 65 of 183:
|
Apr 3 04:36 UTC 1995 |
Re 63: Hey -- here's the fodder I've been looking for for a million
dollar lawsuit! I had "Floof Bork Zingity Bleah" first! Pay me
royalties!!!!! :) :) :) :) :) :) :) :) :) :)
|
nephi
|
|
response 66 of 183:
|
Apr 3 05:11 UTC 1995 |
Ah, but I was the first to copyright it! 8*)
|
srw
|
|
response 67 of 183:
|
Apr 3 06:46 UTC 1995 |
Arnold. I'm not sure you know Grex's policy on verification.
At the risk of being redundant, I will summarize.
A lot of services on Grex are free and available to unverified accounts.
This includes picospan and email. It also includes telnetting inbound,
and other facilities. It will include other services
like talk, finger, gopher, possibly http, as soon as we make some adjustments
to our operating system. When I say unverified accounts, this means that
the account is created with no supporting documentation whatsoever.
There is no human involved.
Grex does not object to users creating accounts anonymously, using
a psedonym. Sometimes this can facilitate communication.
Other services, including the ability to telnet or ftp out of Grex,
require membership (support $) and verification ( we need to know
who the person is). Our verified membership rolls are not for public
view, although there is discussion over how secret they can be.
The primary reason for requiring membership is to minimize the number
of people doing this, as we have limited bandwidth, and we wish to
use that bandwidth primarily for other purposes. The primary reason
for requiring verification is the legal requirement for voting.
Posting to Usenet is a service that is between these two.
Membership support is not required, but verification is.
The reason is that bandwidth is not an issue, but we must be in a
position to restrict access to ill-behaved users, in oreder to be
good net-neighbors on usenet. We would have no such power if the
ill-behaved one can just create a new account to post from.
(Of course this is moot until usenet is restored.)
|
robh
|
|
response 68 of 183:
|
Apr 3 10:45 UTC 1995 |
Re 62 - I'm not sure what you mean by "dummies' page", but
check out our Lynx shell (run the Unix command "lynx")
and our Menu shell. (Unix command "menu")
|
selena
|
|
response 69 of 183:
|
Apr 4 17:17 UTC 1995 |
Of course, with no exceptions. I've been here since November. I
tell you guys if I see something's wrong, and, except for this issue, I
try my best to NOT be a pain in the ass! What, under the "good neighbors"
concept am I lacking here??
You don't need my ID to see that I'm a decent person- ask around,
if you don't know me! I understand why you'd want to verify someone who
just got here, before allowing telnet/USENet, but Guys, I've BEEN here!
There is simply no room for common sense in your rules. No way to make
exceptions, if you need to, or want to.
I've been on for almost six months now. Can you guys point to ONE
thing, beyond this topic, that I've been a "bad neighbor" about? Just one!
Yes, I have a temper, but I'm not a spammer, or a vandal. Is there any
exception makable for people who have spent time and effort showing
themselves to be good people? I'm sure most of your cybervillains will
find this to be too much trouble to bother with, especially if it were
like a six month minimum for this kind of exception to be considered.
I'm not talking voting rights. I understand <now> that there are
legal problems with that. Your FTF encouters are fine and dandy for
probably every case but mine. I am PHOBIC about that!! If I weren't I'd
have sent in my Driver's Licence a LONG time ago. AND, I didn't send a
fake, <and believe me, where I live, getting one is easy> because I
believe in being honest. Now, how about my "proven good neighbor" idea?
|
rcurl
|
|
response 70 of 183:
|
Apr 4 17:32 UTC 1995 |
The very essence of a democratic society is that the laws (are supposed
to) apply equally to all. That also means that no one is exempted from the
law because they have established themselves as a good neighbor. The
consequence is that, to be democratic, the law would have to be changed,
not excepted. So, we change the law, and good neighbors are verified
without ID. How do we define good neighbor, and where do we draw the line
between good neighbor and bad neighbor, and what if a good neighbor turns
bad? The fact is, laws are made to control bad neighbors, but the good
neighbors accept them because that is the only way to be fair.
|
selena
|
|
response 71 of 183:
|
Apr 5 05:46 UTC 1995 |
It's called common sense, and personal judgement.
|
rcurl
|
|
response 72 of 183:
|
Apr 5 14:50 UTC 1995 |
Common sense and personal judgement are great, but do not substitute for
law. There are inumerable ways in which the common sense and personal
judgements of different people can come into conflict. Here is a case in
point: it is my common sense and personal judgement that persons given
access to telnet should provide personal identification.
|
ajax
|
|
response 73 of 183:
|
Apr 5 16:00 UTC 1995 |
(#70 was nicely expressed!)
|
steve
|
|
response 74 of 183:
|
Apr 5 16:06 UTC 1995 |
Selena, it isn't that you are a good person. I already believe
that. The issue is, really, how to we effect a system that is fair
and consistent, and as imprevious as possible to favoritism?
|