|
Grex > Coop12 > #127: Grex, once again, has pissed me off | |
|
| Author |
Message |
| 25 new of 184 responses total. |
scott
|
|
response 54 of 184:
| 
Sep 5 12:57 UTC 2002 |
(I think there's a bit of a pattern, with M-Net people like Tod and Jamie
used to *not* being able to trust the leadership.)
|
jmsaul
|
|
response 55 of 184:
|
Sep 5 13:28 UTC 2002 |
(I could turn that around, by suggesting instead that there's a pattern of
Grex people like yourself having blind faith in the leadership. I don't
think it would make for productive discussion, though. And incidentally,
Tod was part of M-Net's leadership for quite some time.)
|
scott
|
|
response 56 of 184:
|
Sep 5 13:33 UTC 2002 |
(I suppose if I had had some experience with Grex leadership deliberately
acting in bad faith I'd be less trusting. In my, um, 8 years (?!?) on Grex
that's never happened. Dunno how M-Net's record has been; I do recall there
having been a number of mishaps with money but I don't recall if there was
any malice involved)
|
cmcgee
|
|
response 57 of 184:
|
Sep 5 14:11 UTC 2002 |
I think that Grex and aruba are doing a fine, minimalist job of verifying
people's identity, and holding on to sufficient information to show we were
acting reasonably if a court sees fit to issue an order involving us and our
information.
Remember that this information is only divulged to anyone other than the
treasurer if there is a court order in place. Many of you would be surprized
to know that my Grex membership is not under cmcgee, but another login ID.
But aruba knows how to link that login to a real person, if he is required
to by our court system. Short of that, my identity is "safe".
For active participants in conferences, there are far more revealing
details about our identities and whereabouts than an old driver's license
would reveal. And that information is available to _anyone_.
I don't see any reason to change how much information we collect, nor how we
retain it. Mark has gone far beyound reasonable in taking the credit card
stuff off his computer.
And the people complaining the loudest have left a permanent, public
record of their profesions, physical locations, photos and other
identifying information
han Grex would
_ever_ ask for.
|
tod
|
|
response 58 of 184:
|
Sep 5 16:49 UTC 2002 |
re #53
I feel like there are two issues that need to be addressed:
1) Authentication
2) Liability
Authentication is usually something instituted for access control purposes.
When authentication is being utilized, you want to have identification,
authentication, authorization, and finally accountability(liability).
So yes, I'm curious what is sufficient identification/authentication method.
I am also curious about the administrative, physical controls, technical
controls, and policies that encompass the liability/accountability portion.
Examples: administrative(supervisory structure), physical(copies),
techical(auditing trail), and policies(self evident).
re #54
Finding a pattern between myself and others that are also users on M-Net is
a nice spin, but a wasted effort. I'm a Grex member. I've been a Grex user
off and on since its inception. I've even donated hardware in the past.
Try not to dismiss my sincerity with simple prejudgice.
Contrary, I'm actually creating "trust" with "leadership" by examining the
necessary controls to ensure that the intended security of Grex is not
compromised. My background is very extensive with security so you can imagine
my concerns are legitimate when I am providing copies of my identification
and want to know the depths that it will be used.
re #55
Thanks Joe. I sympathize with Scott's defensiveness. Maybe, he'll take off
the M-Netter goggles and lower the hostility, maybe not. ;)
|
aruba
|
|
response 59 of 184:
|
Sep 5 21:34 UTC 2002 |
Re #58: Administrative: it's just me. I am responsible to the board and the
members, if that's what you mean. But we are all volunteers.
physical controls: I lock the door when I leave the house.
policies: We've talked about that a lot already; I think all the relevant
policies have been stated.
Is that what you mean? I am happy to be subject to scrutiny, if it will
help build trust and serve the goals I stated around here someplace. Like
you, Todd, I prefer it when the discussion is civil.
|
jmsaul
|
|
response 60 of 184:
|
Sep 5 22:53 UTC 2002 |
I've served in leadership positions on M-Net myself, including President, and
I don't enjoy feeling hassled either -- but it's important to separate out
the personal emotional reaction ("get off my ass, you never do anything for
the system") from the possible genuine issues that may be behind the hassle.
It isn't easy to do, speaking from personal experience.
There really is an issue here with retention of personal information, though.
Actually a couple: (1) does everyone know what information Grex is retaining
about them, and (2) should Grex be retaining that information. Based on this
and parallel discussions, I couldn't answer "yes" with confidence to either
question. Could you?
|
scott
|
|
response 61 of 184:
|
Sep 5 23:14 UTC 2002 |
The FAQ seems to cover those questions, Joe.
|
tod
|
|
response 62 of 184:
|
Sep 6 00:06 UTC 2002 |
Other has answered any questions I've posted. Whether those results are acted
on is an entirely different ball of wax, but I do appreciate that everyone
has shown some interest.
|
jp2
|
|
response 63 of 184:
|
Sep 6 00:10 UTC 2002 |
This response has been erased.
|
tod
|
|
response 64 of 184:
|
Sep 6 00:15 UTC 2002 |
It shouldn't.
|
other
|
|
response 65 of 184:
|
Sep 6 02:19 UTC 2002 |
Grex and M-Net have only the slimmest of relevant similarities.
|
jmsaul
|
|
response 66 of 184:
|
Sep 6 02:32 UTC 2002 |
I disagree, but the only reason I'm mentioning it is to say that I know what
it feels like to get criticized when running a volunteer organization.
Re #61: I suspect most people aren't aware you retain credit card numbers
(though who knows), and I personally wouldn't answer yes to the
question about whether you should be retaining the information.
But whatever. I'll take this up when and if I donate.
|
cmcgee
|
|
response 67 of 184:
|
Sep 6 02:39 UTC 2002 |
For donations you don't need to give us ID. For a membership (which
includes outbound telnet access) you do.
|
jmsaul
|
|
response 68 of 184:
|
Sep 6 13:49 UTC 2002 |
Ooh. Outbound telnet access. That's scary, and impossible to get anywhere
else, especially on a college campus where hundreds of students run illicit
servers connected to UM's network. You're right to lock it up as tightly as
possible.
|
scott
|
|
response 69 of 184:
|
Sep 6 15:48 UTC 2002 |
It's very difficult to get an anonymous telnet access, and for good reason.
|
tod
|
|
response 70 of 184:
|
Sep 6 17:16 UTC 2002 |
re #66
Arbornet service should include VA benefits. ;)
|
cross
|
|
response 71 of 184:
|
Sep 6 20:21 UTC 2002 |
Regarding #69; Really? Any Internet cafe is essentially anonymous. The
New York public library is anonymous. College campuses are the same
thing. Here at Columbia, we have public-access kiosks all over the place
that give outbound telnet access.
|
jmsaul
|
|
response 72 of 184:
|
Sep 6 20:30 UTC 2002 |
(Sssshhh... they think it's still 1990.)
|
mary
|
|
response 73 of 184:
|
Sep 6 20:48 UTC 2002 |
Do internet cafes offer an email program that allows you to be anonymous?
Is Hotmail still anonymous? Or do you get to browse all you want without
having to login but as soon as you want to actually send mail, or buy
something, or participate in a forum you need to give some identifying
information to the provider, or store, or host? That's how libraries I've
visited handle it.
|
tod
|
|
response 74 of 184:
|
Sep 6 21:20 UTC 2002 |
Hotmail asks you for another e-mail address and for your personal information
while you're online. It does NOT ask for a copy of your ID.
Internet cafes ask for money.
Libraries? You can show them a letter from zippy the postman to prove you're
a local resident and that's enough.
None of the above make a copy of your ID that I'm aware.
|
other
|
|
response 75 of 184:
|
Sep 7 03:30 UTC 2002 |
Do any of these services offer shell accounts?
Disk storage?
Compiler access?
Scripting support?
Yeah, thought so. What was your point again?
|
mary
|
|
response 76 of 184:
|
Sep 7 03:39 UTC 2002 |
No, really, I'm curious, Tod. Can you walk into your library
and end up sending email without going through an account
which has required some form of ID?
Does an internet cafe offer you more than internet browsing?
For anything else don't you pretty much have to login to
a server where you are known?
|
scg
|
|
response 77 of 184:
|
Sep 7 04:06 UTC 2002 |
Talking about legal requirements to collect ID in this context probably
doesn't accomplish much, since there aren't any. We are required to keep a
list of names and addresses of our members, but no other non-profit
organization I've joined has asked for any verification of the names and
addresses. I suspect, therefore, that simply asking for it and recording what
we're given is enough, and the occasional inaccuracy would not be considered
legally our fault.
Grex's ID for Internet use policy is nine years old, and dates from the era
when the Internet was a faily closed academic network, anonymous access was
hard to come by, and various people in the Grex leadership felt a strong
responsibility to protect our academic neighbors from the sorts of Internet
users they might not be acustomed to dealing with. Today's Internet is rather
different. Anonymous access is quite easy to come by, from Internet cafes
where cash is required but ID isn't, from public libraries where in many cases
it's possible to just walk in and sit down at a computer, from those of us
who run open wireless networks, and so forth. No reasonable person connects
their systems to the Internet these days and assumes everybody connecting to
it will have already been authenticated by somebody else. Law enforcement
doesn't need ID from us -- if the user was connecting from within the US they
can look at when the connection came in and from where, and subpoena the
information from the phone company or other Internet system the user connected
from, and track the person that way. But that's not to say nobody collects
identifying information before allowing access to the Internet anymore. ISPs
generally require payment by check or credit card, and store that information
for other reasons. Employers generally require a lot more information about
people than that, again for other reasons. The real question for Grex at this
point is how much we want to know about those who are using our system to
connect to the Internet, so that if they're causing a problem we can cut them
off and make sure they don't just come back under a different name. Again,
we're not legally required to do so, but somebody using Grex to cause problems
elsewhere will cause Grex a big headache, and there's a lot to be said for
being able to get rid of such people easily and for good.
|
jmsaul
|
|
response 78 of 184:
|
Sep 7 05:36 UTC 2002 |
Re #76:
I'm not Todd, but I can answer these.
> No, really, I'm curious, Tod. Can you walk into your library
> and end up sending email without going through an account
> which has required some form of ID?
Yes. You can go create a hotmail account (for example). It requires
another valid email address, but once you've got one, you can basically
get an unlimited number. And the one doesn't even have to be yours.
Anyone who seriously wants to cause trouble will cover their tracks.
> Does an internet cafe offer you more than internet browsing?
From the web, unless firewalled, you can do a hell of a lot. Including
downloading telnet software, depending on how restrictive the cafe is (or
isn't).
> For anything else don't you pretty much have to login to
> a server where you are known?
No. You can do a tremendous amount from the Web. Really.
|